Shortwave email app introduces AI-powered summaries

Last year, a bunch of Google executives launched an email app called Shortwave, which aimed to fill in the gap left by the search giant’s Inbox app. Now, the company has introduced an AI-powered summary feature so you don’t have to read long emails or threads to get the gist.

The feature — powered by OpenAI’s GPT-3 — is available on all platforms in beta for free. The company says the summary also works well when translating emails from other languages. Shortwave has tested the feature on different kinds of use cases ranging from skimming over a newsletter to looking at a large number of emails in a short time.

What’s more, the company says that users can include a summary of a previous message while forwarding an email. Others can read this summary to get the context of the conversation quickly even if they don’t use Shortwave.

The startup plans to introduce more AI-powered functions in the future including more summarization methods and smart composing. It also wants to introduce a semantic search that allows users to search for phrases like “What time does my flight take off next Tuesday?”.

“The new capabilities of large language models have swung the door wide open for new ways to interact with your inbox. At Shortwave, we aim to pave the way towards an AI-enabled email future, starting with Smart Summaries, launching today in beta,” it said in a blog post.

Shortwave said that going forward free users will have some amount of access to these AI-powered features. However, the company is still evaluating its pricing strategy during the summary feature’s test phase.

While Shortwave is free for basic usage, it offers a subscription for $9 per month for power users and custom plans for teams as well. Apart from AI-powered features, Shortwave offers better categorization than Gmail, email grouping based on time, mentioning teammates, pinned emails, and support for emoji and GIF responses. The app treats emails as items in a to-do list, so you can snooze them or mark them as done.

Generating summaries for different kinds of media formats is a big use case for large language models. Last month, transcription company Otter launched a bot that automatically summarizes a meeting. Microsoft’s new AI-powered products like Bing and Edge can also summarize pages and documents. There are also other tools that provide a synopsis from links to YouTube videos and Slack threads to Resumes.

Shortwave email app introduces AI-powered summaries by Ivan Mehta originally published on TechCrunch

Sublime nabs $9.8M for an anti-phishing email security platform built on collective, crowdsourced rules

Malicious hackers are getting ever more creative with the techniques they use to break into networks to steal data and wreak havoc, but their primary route for opening that door has remained pretty consistent. Email is by far the most popular entry point for setting up and executing phishing, ransomware and other attack vectors, leading to some $2.4 billion in damages in 2021 across business email interactions in the U.S. alone, according a report last year from the FBI.

Today a startup called Sublime Security is emerging from stealth with a novel, collective approach for tackling that problem: it has built a platform, and domain-specific language (DSL), for researchers and security operations people — those defending networks — to write, run and share rules with each other for detecting and blocking the wide range of threats most (and least) commonly delivered via email.

The Washington, DC-based startup has been operating in private beta for over one year, and in that time it’s picked up a number of large multinational customers ranging from government organizations through to companies like Spotify — along with a waiting list of 2,500 others. Now, as it moves into general availability it’s also announcing funding of $9.8 million.

Decibel is leading the round, with Slow Ventures and a number of individuals in the world of cybersecurity participating, including Sounil Yu (the Cyber Defense Matrix and DIE Triad creator); Snort and Sourcefire creator Martin Roesch; veteran CISOs Jerry Perullo and Michael Sutton; Demisto founders Rishi Bhargava and Slavik Markovich; Lookout founder Kevin Patrick Mahaffey; and Phantom Cyber and Pangea founder Oliver Friedrichs.

Sublime covers vectors like malware, ransomware, credential phishing, VIP impersonation and callback phishing. Its code can be applied to Microsoft 365 and Google Workspace enterprise mail systems, as well as run on individual accounts via IMAP. And in addition to its most basic use — inbound email security — Sublime can be used to gather and analyse trends in threats to an organization, block entire domains, run security exercises for compliance and training, and more.

The core product is free to use when it is self-hosted. The hosted version, Sublime Cloud, is charged after the first 10 mailboxes. Enterprise customers also pay when they self-host but want support and monitoring services.

Joshua Kamdjou, who co-founded Sublime with Ian Thiel, said in an interview that he first got the idea for the startup based on work he was doing for the Department of Defense, where he started working as a ‘white hat’ hacker when he was still in high school.

There, he got closely acquainted with the techniques that malicious hackers were using with phishing emails.

“Attackers are constantly coming up with new ways of bypassing defenses,” he said, the problem being that most of those defenses are based around security parameters set up by single security vendors, a “black box” approach in his words. When new techniques were applied by hackers, the onus was upon vendors to issue patches and updates to their systems to account for those.

But then new techniques would come up, and so on and so forth, creating lags and gaps in protection. “The vendor is the bottleneck,” he said. In his own testing, Kamdjou would apply a phishing technique one month, and then return a month later, “and the problem would still be there.”

Kamdjou saw an opportunity to build a solution by tapping into the collective knowledge and working practices of developers. Coming from the world of hacking and coding, using services like GitHub to track and contribute to projects was in his DNA. He applied that crowdsourced model to how Sublime would track and grow its own database of threat vectors and approaches.

To be clear, Sublime is not “open source” and Thiel and Kamdjou said they were still deliberating what aspects, if any, they might potentially make open source down the line. But it does borrow from some of that ethos. The Sublime team has written around two-thirds of the rules in Sublime’s database, with one-third contributed by the community, Thiel said.

Individual organizations subsequently make their own calls about how to customize their own email security, which of these rules to apply and which to leave to the side, putting significantly more power into the hands of customers. That’s been of its selling points so far.

“Sublime gives detection teams the chance to take back control of the email inbox,” Dan Nguyen-Huu, a partner at Decibel, said in an interview. “The community-powered DSL means all of its customers are speaking the same language, sharing rules and being able to remediate better,” he said. “It means they can unite to fight the common enemy.” The approach it takes is unique in the market, he added.

“Defenders know their networks better than anyone, but we weren’t arming them as a community,” Kamdjou said. It’s also how many other security products not associated with email work. YARA for binaries, Sigma/EQL for logs, Snort/Suricata for networks, osquery/EDR for endpoint, Semgrep for static analysis are some of the examples Kamdjou cited.

Interestingly, the number of contributors so far has been only a small fraction of the total number of users that Sublime currently has.

“It’s kind of like Twitter,” Kamdjou said. “Most don’t Tweet, just read, and it looks like our model will be similar with only a small number writing rules and the rest finding those useful.”

Twitter is an apt analogy for another reason: Thiel said that Sublime has largely growth by word of mouth, and a lot of those words have been exchanged on that particular social platform. “Infosec lives on Twitter,” he said.

With new tools like generative AI representing potential ways to increase the volume of more sophisticated and convincing emails, you can see why and where it would make sense to speed up how end users themselves might be able to identify and respond to these threats. That might lead to more contributors, and more Sublime use, over time; what will be interesting to watch is how and if AI models start to get applied to the generation of more defenses, too.

Sublime nabs $9.8M for an anti-phishing email security platform built on collective, crowdsourced rules by Ingrid Lunden originally published on TechCrunch

Lavender lands $13.2M for its AI-powered email marketing engine

Years ago, Will Allred and William Ballance were developing a tech platform, Sorter, to apply personality and communication psychology to marketing campaigns. Just as Sorter was heading to market, the pandemic hit — and marketing budgets froze. With a week of funding left, Allred and Ballance pivoted, repackaging their tech to work in Gmail in what they thought would be a brief detour to Sorter’s launch.

But users liked the repackaged product — and so did investors. So Sorter became Lavender, an AI-powered sale email coaching platform.

Lavender integrates with email providers to serve up context on a sales prospect and suggest ways to optimize the message to get a reply. Showing that there’s money in the idea, the company today announced that it raised $13.2 million across a Series A round led Norwest Venture Partners with participation from Signia Venture Partners and a seed round led by Signia with contributions from CapitalX, Position Ventures and various angel investors.

“By combining deep learning on email data with communication and behavioral psychology, Lavender’s AI writing assistant identifies and implements ways to increase reply rates,” Ballance told TechCrunch in an email interview. “In today’s climate, teams have to do more with less. While sales team sizes shrink due to layoffs, teams use Lavender to make each rep more effective and efficient.”

Lavender’s product is made up of three different components: a sales email coach, a “personalization assistant” and an email intelligence and coaching portal. The email tools provide research material (e.g. news and updates, funding stats, job listings, events, tweets and more) on recipients and can automatically create drafts from that research (à la ChatGPT), or simply generate a few bullet points to work within a preexisting email thread. As an email’s written, Lavender scores it in real time, suggesting improvements in specific areas.


Lavender’s analytics dashboard shows high-level details about emails, including inbound rates and potential areas of concern. Image Credits: Lavender

“Writing a ‘better email’ is a four-step process — research, create, edit and learn — and our product helps across all four,” Ballance said. “Instead of automating, we help users write effective personalized emails faster. The AI works alongside them, but doesn’t replace them.”

Lavender’s aforementioned learning portal, meanwhile, aggregates and analyzes email activity, highlighting areas in need of improvement. Managers using Lavender can see which email templates are working versus which aren’t for instance, as well as metrics like individual email scores, open rates, reply rates and writing time.

Lavender also detects “at-risk” reps that may need additional support or coaching to meet certain goals. That’s not a feature likely to thrill every rep, particularly those who value their own processes and privacy. But Ballance makes the case that it’s a net good where an organization’s sales are at stake.

“Sales teams have become too focused on optimizing for efficiency and automation. This forced optimization has left buyers with a bad impression of sellers, because they feel as if they’re just a number,” he said. “Sales needs to go back to building real relationships — not automation and spam. Lavender makes real personalized emails faster for our users.”

While Lavender isn’t the only firm applying automation to the marketing and sales outreach segment, it’s certainly benefiting from the general boom time. According to a 2022 report from Ascend2 and Research Partners, 69% of marketers say that their overall customer journey is partially or mostly automated while 9% say that theirs is fully automated. The same report found that nearly a third — 31% — of marketing professionals planned to purchase a marketing automation solution in the next 12 months.

Lavender’s rivals include Sellscale, which similarly uses generative AI to write marketing emails, and marketing automation startup Klaviyo, which received a large investment from Shopify last August. (Ballance sees Jasper and Regie as competitors, too; both leverage text-generating AI for marketing copy drafting.) Lavender has a respectable customer base, though, totaling around 11,000 sellers at organizations including Twilio, Segment, Sendoso, Sharebite and Clari.

“We built for nearly two more years before raising venture capital,” Ballance said, declining to answer a question about recurring revenue. “Lavender is well-capitalized to continue building in the current market.

Lavender’s team recently grew to 16 employees, up from six in Q4 2022. Ballance says that the startup — which has raised $14.2 million in total to date — will continue to expand and fill “key roles” throughout the rest of the year.

Lavender lands $13.2M for its AI-powered email marketing engine by Kyle Wiggers originally published on TechCrunch

3 views: Meetings are bad, yo. Choose emails

It’s a long weekend here in the United States, meaning office workers, at least, get a three-day break from the dreaded meeting. We wanted to take this time to offer up an impassioned defense of … email.

Hear us out. It’s conventional wisdom that meetings are killers of productivity and morale and happy work environments. So why not write an email?

We know email has its drawbacks, too — it’s hard to manage and riddled with spam. But as work moves ever more online, it’s superior to meetings. Two inbox zeroers and one Chaos Muppet drowning in notifications — see if you can guess who’s who! — tell you why.

Ram Iyer: Do you love meetings, or do you just hate writing?

Back when I used to smoke, I also used to work at a publication that had frequent and immensely unproductive meetings. Most of our team of over 20 people would just sit by quietly for an hour while someone droned on about something.

If you’re counting the person-hours wasted, each of those meetings wasted an average of 20 hours that could have been spent doing actual work. They were unnecessarily stressful, too: I found myself desperately wanting to smoke after every single meeting, and I wasn’t alone.

Thankfully, that hasn’t always been the case. I’ve been fortunate to mostly have worked in companies that fostered a culture of just communicating via email or messaging. But in hearing my friends and ex-colleagues complain about work over the past couple of years, I noticed a trend: As the pandemic sent everyone home, meetings became ever more frequent to the point that people found them getting in the way of their work.

I’ve asked this question often over the past couple of years: If it can be an email, why isn’t it? Why are people so driven to speak when they could write an email and save everyone’s time?

I think I finally have a theory.

OneSignal lands $50M to automatically optimize SMS, in-app and email campaigns

OneSignal, a platform that powers notifications for mobile apps and more, today announced that it raised $50 million in a Series C round led by BAM Elevate with participation from SignalFire and other existing investors. The infusion brings OneSignal’s total raised to $80 million and will be used to make investments in machine learning, geographic expansion, and growing OneSignal’s team (from 140 employees to 170) by the end of the year.

Beginning as a mobile game studio, OneSignal pivoted to customer engagement when co-founder and CEO George Deglin saw an opportunity to address a perennial challenge in app development: creating an effective push notification pipeline.

“There is a huge shift happening in the mobile app industry. Technology and regulatory changes have made advertising less effective and more expensive by making it harder to target ads on platforms like Facebook. As a result, companies are shifting their focus from paid advertising channels like Facebook Ads to ‘owned channels’ like push notifications, emails, and in-app messages,” Deglin told TechCrunch via email. “Despite this recent shift, most of the technology that’s available to help brands engage with users on owned channels was not built for a mobile-centric world.”

By contrast, Deglin asserts, OneSignal is mobile-centric, with tools designed to let businesses automate the delivery of messages across channels, including SMS, email, and app notifications and in-app messages. OneSignal customers can centralize user communications within the platform, customizing their campaigns based on metrics to improve open rates.

There’s truth to the notion that customized, personalized messages can move product. According to a 2021 McKinsey survey, 76% of consumers said that receiving personalized communications was a key factor in prompting their consideration of a brand, while 78% said such content made them more likely to repurchase.

“OneSignal was founded by Long Vo and I in 2015. Long and I were running a Y Combinator-backed game studio but pivoted it into a push notification platform [and then a customer engagement solution] after discovering how hard it was for developers to communicate with their users,” Deglin said. “Prior to their meeting, I was the co-founder and CTO of Uversity, a student engagement platform. Long Vo was co-founder and art director of Gaia Online, an anime-themed social network. We were introduced through a mutual friend who thought we would be great co-founders for each other.”


Image Credits: OneSignal

OneSignal competes with Braze, CleverTap, and Xtremepush, among others. Braze is a publicly traded company, having raised around $175 million when private, while CleverTap most recently bagged $105 million in funding at a $775 million valuation. But Deglin argues that OneSignal differentiates itself by focusing on “intelligent delivery,” or analyzing the time and day users engage with an app and automatically scheduling “re-engagement” campaigns to be delivered based on the historical trends.

“By providing these types of automatic personalizations, OneSignal enables its customers to focus on building great apps and saves them time and guesswork that they would otherwise spend trying to determine the best time or frequency to send their messages,” Deglin added. “Just as smartphones are getting better at making recommendations based on how people use them, OneSignal sees an opportunity to democratize technology for all app developers to optimize their messaging campaigns to provide more personalized experiences to their users.”

Indeed, OneSignal has grown quite large, with over 1.7 million developers and marketers on the platform and roughly 6,000 paying customers. One accelerant has been OneSignal’s freemium plan, Deglin says, which limits certain features but doesn’t cap the number of users or messages that customers can send push notifications to.

“OneSignal has rapidly grown during the pandemic as more businesses recognized the importance of keeping their customers engaged, and increasing retention, with push notifications and emails … The company has also benefited from changes in the advertising ecosystem that have made it more costly to acquire users and, therefore, even more important to maximize user retention,” Deglin said. “OneSignal was well prepared for economic headwinds and has continued to grow quickly while not overspending. This round allows OneSignal to reach profitability while maintaining rapid growth … Efficiency has been a focus for the business and gross margins are over 90%.”

BAM Elevate’s Jamie McGurk, who’s joining OnSignal’s board of directors, told TechCrunch in a statement: “Today’s users expect hyper-personalized, relevant, and timely communication across every touchpoint. Creating a multichannel communication strategy is a must and OneSignal allows you to do this quickly and easily. It’s an honor to join the OneSignal team and I’m looking forward to working with George and the rest of the leadership team to continue on the great progress the company has made.”

Email will be with us until the universe dies, so these startups are working to make it better

Ah, email. Why did you send my friend’s birthday party invite to my spam folder? Why do you make it so easy to archive an email when I don’t even know what that means? Why are you … blue now … Gmail?

Email is a necessary evil. So whenever I hear about startups looking to innovate on the decades-old communication tech, I’m instantly intrigued considering the huge number of potential areas of improvement. Plus, talk about a large TAM!

Startups have taken note. Boomerang launched its email productivity software in 2010, Superhuman has raised $108 million to help users get through their inbox faster since its 2014 launch. Trying to build a better email mousetrap isn’t exactly a novel concept, but could be big business.

I recently received pitches from two new upstarts, both of which launched their email innovations in the last year, that really piqued my interest. Let’s meet them.

Google faces ‘spam ads’ ePrivacy complaint in France

Google is facing a fresh privacy complaint in Europe over ads it inserts into its Gmail email service in the guise of emails.

Privacy advocacy group, noyb, has filed the complaint with France’s data protection watchdog, the CNIL, claiming the adtech giant has breached the European Union’s ePrivacy Directive rules on direct marketing by failing to gain consent from Gmail users for the ads it displays inside their inboxes, alongside promotional emails they have actually signed up for.

noyb’s complaint cites a ruling by the EU’s top court last year, in a separate case related to the use of email for direct marketing, which it argues makes it plain that ads which are displayed inside a user’s inbox constitutes “a use of electronic mail for the purposes of direct marketing” — which, under ePrivacy rules, requires user consent. (The Gmail advertising emails only distinguish themselves from genuine emails users have signed up for by the inclusion of an ‘ad’ label and the lack of a date-stamp.)

The complaint asserts that Gmail users did not consent to being spammed with Google’s ads — noting that, under ePrivacy, consent would have needed to be obtained prior to the ads being displayed in their inboxes.

noyb also argues that exceptions set out in relevant EU law do not apply here because Google’s ad emails are not used for the direct marketing of similar products for which consent was previously obtained.

“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” added Romain Robert, lawyer at noyb, in a statement. 

Google was contacted for comment on the complaint.

France’s CNIL has been an active regulator of Google on privacy issues, making use of the competency it can exert under ePrivacy — which, unlike the General Data Protection Regulation, does not require cross-border complaints to be funnelled through a lead DPA (in Google’s case, Ireland’s Data Protection Commission) — avoiding the GDPR bottleneck that has slowed down privacy enforcement against Big Tech.

Back in December 2020, the CNIL fined Google $120M for dropping tracking cookies without consent — after finding it had breached ePrivacy rules. It followed that up with another beefy fine — $170M — this January for dark patterns it found Google deploying in cookie consent flows.

Those French ePrivacy enforcements soon led to Google announcing an updated cookie consent banner in Europe which finally offered users a top-level option to refuse all its tracking — suggesting muscular enforcement of laws defending web users rights and freedoms can face down the power of Big Tech.

The CNIL also managed to slap Google with an early GDPR enforcement, back in 2019, prior to a legal switch which brought the company’s EU users under the jurisdiction of its Irish subsidiary (instead of its US parent) — thereby ensuring that subsequent GDPR complaints against Google have been routed through Ireland.

Hence the majority of GDPR enforcement on major complaints against Google — such as over the legality of its adtech (a formal investigation was opened in May 2019); or its location tracking practices (under probe in Ireland since February 2020) — remain in limbo as the Irish regulator’s painstaking procedures grind on. But decisions must flow eventually — within months or years.

It will be interesting to see which arrives first: A decision from France’s CNIL on this fresh noyb complaint against Google’s Gmail ad spam (filed August 2022) — or a final decision from Ireland on Google’s adtech or location tracking.

In the meanwhile, noyb has been pressing another series of strategic complaints against Big Tech by targeting b2b users of Google Analytics and Facebook Connect across the EU — which has led to a number of breach findings and warnings from DPAs against use of Google’s analytics software, with France’s watchdog putting out guidance in June that warns users of the tool of the need to apply additional safeguards to ensure their implementation complies with GDPR requirements on data transfers outside the bloc or else switch to a compliant (non-Google) alternative.

Facebook also has a major decision hanging over it related to a long-standing complaint about its EU data exports which was originally filed by noyb’s chairman — long before he founded the privacy advocacy group.

Twitter fixes security bug that exposed at least 5.4 million accounts

Twitter says it has fixed a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts, which were listed for sale on a known cybercrime forum.

The vulnerability allowed anyone to enter a phone number or an email address of a known user and learn if it was tied to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.

In a brief statement published Friday, the microblogging giant said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

Twitter said it fixed the bug in January — six months after the bug was initially introduced to its codebase — after a bug bounty report by a security researcher, who was awarded $6,000 for disclosing the vulnerability.

According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.” It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.

But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month window to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.

Twitter said it learned about the exploitation from an unspecified press report in July, which found a listing on a cybercrime forum claiming to have user data “from celebrities to companies,” and OGs, referring to custom or highly sought-after social media and gaming usernames.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”

It’s the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted for setting up two-factor authentication, for targeted advertising.

Discord gives servers a way to intercept spam and harmful content, will expand premium memberships

Discord is introducing a native way for servers to preemptively detect and block harmful messages and spam. The tool, called AutoMod, is available today and will allow anyone who moderates one of Discord’s server-based communities to create a custom list of words that the new bot can scan for and intercept.

When one of the target words is detected, the bot can automatically block that message so it never hits the server, send an alert to a specific channel to give moderators the head’s up or put a user in “timeout” by temporarily turning off their ability to send messages. Discord will also provide a pre-built list of words and phrases that are commonly flagged by mods that can easily be toggled on without building a custom keyword list.

“I think one of the big pain points that we’ve heard from a lot of moderators is that they spend a lot of time policing their servers, as opposed to actually doing the things that they want to do, like running events [and] creating culture,” Discord Head of Creator Product Marketing Jesse Wofford told TechCrunch.

Unlike existing tools, Discord’s AutoBot can preemptively scan conversations, identifying anything with the targeted keywords before it ever appears in chat. External tools previously didn’t have the permissions required to see messages before they hit a server and instead would automatically moderate them a few seconds afterward. Discord says that it will give its developer community the ability to build onto AutoMod’s preemptive detection ability now that the new native tool is in the wild.

“There are a lot of moderation bots on Discord and I think they’ve actually been doing a lot of the heavy lifting for now,” Wofford said. “We’ve taken a lot of inspiration from them in terms of what’s working for them and actually chatting directly with developers and chatting to our admins about what they like.”

Discord is increasingly building some of the features its users previously incorporated through external services into its core app. Users have long relied on the app’s external ecosystem of plug-in tools to do everything from welcoming new server members and scanning for harassment to DJing music within channels and playing mini games.

Wofford says that Discord wants developers to “come along for the ride” and remain relevant even as the company integrates features that external bots previously provided to its community.

Beyond introducing AutoBot, Discord also announced that it will expand premium memberships, a Patreon-like way for active community members to pay for perks and additional server access.

Discord first announced a pilot program for premium memberships back in December. The company started by giving a small cluster of communities access to the feature set, which allows servers to make a portion of or all of their content available to paid members only. The early servers that tested premium memberships included a game tutorial community, The Trans Community Center and Stream Professor, which offers guides for people getting into livestreaming.

The idea is to both make the work of maintaining a Discord community more “sustainable” and to bring outside payments users make for premium content on Patreon or elsewhere into Discord itself.

This summer, Discord will begin allowing more servers to enable premium memberships, but the company isn’t yet opening the feature to anyone. Discord will allow servers in the U.S. with under 500 members to apply for the program, but will still hand review those communities to ensure that the rollout is smoothly and the company learns along the way.

“We want to make sure that we’re being very thoughtful about people coming in,” Wofford said. “We think that we’re creating a really new paradigm for career monetization, when it comes to the idea of community being something of value you can monetize. And I think we’re playing the long game here.”

Discord is also introducing two new resources for mods and admins that manage communities: a community resource center stocked with educational information to help servers get up and running and a special hub where community admins can interact with Discord’s staff, get news and join events.

Workrise fixes API that spilled users’ personal information

Workforce management unicorn Workrise has fixed an exposed API that was spilling some users’ personal information.

The Austin, Texas-based startup, which previously went by RigUp, was founded in 2014 as a marketplace for on-demand and skilled labor in the oil and gas industry. The company changed its name to Workrise in February 2021 to accommodate a broader set of energy sectors, like solar, construction and defense. By May 2021, Workrise said it had raised $300 million at a $2.9 billion valuation. But last month, Workrise announced layoffs that reportedly hit hundreds of the company’s 600 employees after the mid-pandemic pivot failed to pan out.

Now, a security researcher who goes by the handle Rzlr told TechCrunch that they found an exposed Workrise API that allowed anyone to retrieve personal information about subcontractors directly from Workrise servers without needing a password.

The API was able to return names, email addresses and some employment details about subcontractor’s work, and names and email addresses about the people who provided references for the subcontractors, such as their former colleagues and managers.

In simple terms, an API allows two things to talk with each other over the internet, like a smartphone app, a Peloton bike, or door locks that need to communicate with their servers. In this case the unauthenticated API could be queried using a web browser by plugging in a unique four-digit user ID that corresponds with a subcontractor’s review. But the user IDs were sequential, allowing anyone to access another subcontractor’s information simply by changing the user ID by a single digit, a common security flaw known as an insecure direct object reference bug — though Rzlr said not every digit returned a valid response.

Several of the exposed records seen by TechCrunch were created as far back as 2019 and marked as “draft.”

Rzlr said in their limited testing of 1,000 records, they found more than 920 records with names and email addresses. Rzlr said the API did not limit the amount of data that could be downloaded, which they warned could have presented a scraping risk.

A screenshot shared with TechCrunch showed that the data could be easily scraped.

TechCrunch emailed CEO Xuan Yong and COO Mike Witte, who did not respond, but a short time later the API was no longer publicly accessible and was protected by a login page. In an emailed response, Eric Murphy, Workrise’s vice president of security, told TechCrunch: “Users maintain public profiles by default,” said Murphy. “To the extent Workrise determines any active user data was exposed that was not intended to be public, Workrise plans to notify those users directly.”

Rzlr said they contacted several Workrise email addresses on April 22 — including Murphy’s and the company’s main security email address — about the exposed API. When asked why the API was not secured for two weeks until TechCrunch contacted the company, Murphy said the researcher’s emails were marked as spam.

Workrise also fixed a second API issue that allowed anyone to obtain users’ referral codes, which could then be used to query the API to obtain the name, email address, phone number and the referral payment amount of users who invited others to join the site.

When asked if the company had carried out security audits of its systems, Murphy said the company had undergone “multiple” third-party audits but declined to name the company that allegedly performed them.