Rechercher
Close this search box.

WTF? How did they get my address?

In the world of emailing, complaints and non-compliance are numerous. At Badsender, the experts who investigate these cases are members of an elite unit called the Dezzers. Here are their stories! DUNDUUUUUN!!!! Sorry... I digress.

The names of the companies incriminated here are all anonymized, because I believe that everyone has the right (the duty!) to clean up their practices and not to suffer from their past mistakes ad vitam.

This is my story...

I recently had the opportunity to track down an email sent on my personal mailbox from an unknown company. Messaging that is strictly reserved for exchanges with my relatives, which although quite simple to guess is only communicated in certain specific cases.

Here, in front of your amazed eyes, is a copy of the famous email.

So we can quickly deduce that this email was sent to me without my consent. This kind of case particularly tickles me and as my colleagues like to say, I do not represent the majority of Internet users and their actions in front of this type of unwanted communication. By this I mean that when I receive a campaign for which I have never, in my memory, given my consent... I do not click on the unsubscribe link. No, ladies and gentlemen! I roll up the sleeves of my raincoat, put on my monocle and try to follow the small pebbles scattered here and there.

Taïaut to the attack!

To be honest, I did not expect to receive an answer to my request, in which I expressed my desire to receive a copy of the personal data in their possession concerning me, as well as their origins and of course the proof of my consent (maybe I sleepwalk and subscribe to mailing lists while I'm asleep... who knows). I also took the liberty of reminding you of the risks a company faces in the event of a breach of the GDPR, just in case.

To my great surprise, not even 2 hours passed between my torpedo my email and the answer of the co-founder of the said company. Very transparent, he tells me the source of the list shot: an agency specialized in data, which I quote "scans the web to send you qualified leads and automates all the time-consuming tasks related to prospecting. Bad move for them, I am not one of those who can be easily qualified (professional deformation I guess... or just boring ^^).

After this first step, which I must admit was quite easy, I was all revived! Continuing on my way, I snooped around on the website of this agency that boasts of identifying and sourcing the best prospects. I might as well tell you that they didn't just make a friend. Let's move on!
I transfer my request to them. After a few days, I receive an answer from their Customer Success Manager, with this time the complete list of my information in their database. It includes the region where I live, my position, obviously my first and last name, information about Badsender, a link to my Linkedin page (tilt!)... and the source: another agency.

At this stage, I felt like a simple email address sold to the highest bidder. Taking my time, I forwarded my email again (yes, it takes dedication)in which I obviously asked to be unsubscribed each time.
This time it took me a reminder before I got an answer from this 3ème agency. My approach must have been taken a little more seriously: the CEO responded in less than 10 minutes. Finally, did I get to the 1era agency, owner and reseller of the list of "qualified" prospects? It is with a little bit of I was stunned to learn where my data came from. Not so naive, I had understood that the leak came from my Linkedin account... nevertheless, my personal address is not indicated there!

And the method explained by the agency to collect the emails...

"Your email was found through the Rapportive extension of Sales Navigator assuming the email with your first and last name."

Need help?

Reading content isn't everything. The best way is to talk to us.


Rather vague for my taste, I ask for more information on the provenance.

"The source of your data comes from LinkedIn Sales Navigator from a search, this data is public and added by you when you register, as well as your personal email which is automatically available when someone gets in touch with you.
We didn't get your email in the direct form (i.e. a basic purchase or something like that), we generated your email (...) assuming firstname.lastname@(gmail.com,outlook.com,yahoo.fr...) and then offered this email to our client who decided to use it.

In the future if you don't want to have this kind of problem with other services, I would advise you not to enter your email on LinkedIn, because every person who comes in contact with you will be able to use it and find it."

Thank you for this advice!

After reading Linkedin's terms and conditions, it is indeed mentioned that we give our consent to the use of our data by the social network services and their partners:

"When members join LinkedIn, they expressly agree to our Terms of Service, including receiving promotional and other messages from us and our partners."

I don't blame the social network. I joined of my own free will to develop my professional network and allow anyone to contact me in this context. There was a time, when I was a freelancer, my account indicated a personal address (but not the one shot...) and since 2015 the email address on my account is that of Badsender, also available on the agency's website >> which is therefore not a secret.

OK! But then, apart from receiving an email without my consent, why isn't the address used my primary address on the network?
Does "assuming" someone's personal email address, under the pretext of being part of their network (and this is not the case here, I am not in relation with any of these agencies) comply with the RGPD? Is it allowed to generate email addresses (professional and personal) from data collected on a social network? Can we freely exploit this data? Plus, is it legal to monetize this information?

Although I have an idea of the answers, I will try to clarify these points with the CNIL and a lawyer soon. Stay tuned !

Support the "Email Expiration Date" initiative

Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.

Share
The author

4 réponses

  1. Hehe, bravo Marion !!! 🙂 That's articles like I like them 🙂

    This is not the first time I've heard this from Sales Navigator & Linkedin.
    This poses a real problem for users which is multiple:
    - who really knows what he is agreeing to when he uses an extension, I mean really!
    - Would these users still use the said extension if they knew what it really exposed them to?

    The other problem with your article is: was your address really "assumed" - I use the term forged because that's what you really do when you "invent" addresses you don't formally know about" - or did it come from an even less glorious source than the extension they're talking about.
    If the address is forged, you don't fall under the GDPR and you even go through the looking glass because it's clearly spammy practices.

    I can't wait to read the rest of the story 😉

    PS: We see in filigram one of the advantages of the RGPD, we finally have an answer to his questions.

  2. And so you changed your last name on Linkedin... :p

  3. nice article! curious about the rest 🙂

    sales navigator would be used by business.linkedin.com
    However, I found in the options of my linkedin account a "partners and services" section, in which the business.linkedin.com service was authorized! I don't remember having activated this option :/

  4. Funny post! I tend to do the same thing in my spare time with companies with questionable practices.

    I often report them to the Signal Spam device, to consumer associations and to the Répression des Fraudes if their offer really seems misleading... in the long run this should contribute to the educational effort with companies concerning the use of our personal data 😉

    2 things to add to your post, especially about how these apps work:

    1 - In Linkedin, in the "Preferences and Privacy" menu and then in the Privacy section you will find the setting "Your email address" which allows you to choose who can "see" (and therefore access, including applications) your email address or not. This allows you to protect yourself a little more.

    2 - Despite this, the technique used by the first agency can be done without knowing the main email address of your Linkedin account: from the moment you are identified as a potential target, a small program can simply add your first and last names by combining hundreds of possibilities, then send a "test" email to check the existence or not of the said email addresses and finally resell those that are valid (with the risk for the buyer that it is possibly another person than you who will receive the prospecting email, a homonym for example).

    This is one of the worst growth hacking techniques that contribute to pollute the web and clutter our email boxes and datacenters around the world.

    I have a good feeling about the CNIL's answers on the subject, but I'll let you come back to us 😉

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *