Non-profit Code.org notifies volunteers whose email addresses were exposed

Posted on by Dissent

From Code.org’s blog, yesterday:

Some volunteer email addresses compromised 🙁

On Friday night we discovered and fixed an error in the Code.org site that allowed access to our volunteer email addresses. This wasn’t a case of hackers breaching our security systems, rather it was our mistake of leaving volunteer email addresses accessible via the web browser.  (None of our servers were ever vulnerable, nor were our 10 million student/teacher accounts or passwords or other information ever vulnerable).

At least 10 of our volunteers received an unwanted “job offer” from a technical recruiting firm in Singapore, which is how we discovered this issue. We’ve emailed everybody who was possibly impacted, and also blogged about it.  We also wrote the recruiting firm, who responded:

From: the firm in Singapore
To: Code.org

Sorry about this
. our intention was we thought it’d be good to get them more opportunities to improve their own Computer Science skills beyond the opportunities available in their geographical boundaries / location. We’ve told our team to stop this with immediate effect.

No one should be receiving anymore e-mails from us from this point onwards.

You have my word that we will delete their email addresses from our mailing lists. They should not receive anymore emails from us.

Based on this response, it’s possible the vulnerability may have had limited impact, but we can’t be sure.  Regardless, we’ve also inspected and secured the rest of our site from similar vulnerabilities.

At Code.org, we take privacy and security very seriously. Unfortunately we live in a time when security breaches are all too common. In the case of our youngest learners – students under the age of 13 – we don’t store their email address even if they give it to us, as an added precaution.

We apologize deeply for the inconvenience this has caused. I’m personally committed to making sure our team understands the gravity of this issue, to ensure it doesn’t happen again.

Hadi Partovi, CEO, Code.org

The incident was first reported on slashdot.

Thanks to Catalin Cimpanu for alerting me to this one.

Category: ExposureMiscellaneousU.S.