Tag: email

Posted on

An email ‘autodiscover’ bug is helping to leak thousands of Windows passwords

Shipping companies, power plants, and investment banks don’t often share much in common, but new research shows they are all inadvertently leaking thousands of email passwords of their own employees, thanks in part to a design flaw in a widely used email protocol.

Autodiscover is a feature in Microsoft Exchange, a popular email software for companies to host their own email servers, to set up apps on a phone or a computer using just an employee’s email address and password. It’s meant to make it easier to set up an email or calendar app, for example, by offloading the hard work to the server than configuring the app by hand.

Most apps will look for the configuration file in places on the company’s domain where it knows to look. Each time it looks somewhere and can’t find it, the app will “fail up” and somewhere else on the same domain. And if it can’t find the file, then users are left with the inconvenience.

But some apps will inadvertently fail up one step further before hitting a wall. That’s a problem because behind the scenes the app is trying to communicate with a domain name that’s outside of the company’s control but within the same top-level domain — so company.com would end up looking for the configuration file on autodiscover.com. Anyone who owns that domain name can “listen” to the email addresses and passwords as they are sent across the internet

Researchers have for years warned that email apps are vulnerable to this kind of data leakage and can put a company’s credentials at risk. Several apps were fixed at the time, but it’s clearly a problem that hasn’t gone away.

In April, Guardicore Labs acquired the autodiscover domains for some of the most common top-level domains — autodiscover.uk, autodiscover.fr, and so on — and set them to “listen” to leaky requests as they arrive.

In four months, Guardicore says it identified 340,000 exposed Exchange mailbox credentials hitting those domains. Some companies allow those same credentials to be used to log onto that domain, posing a risk if misused by a malicious hacker. Guardicore said the credentials were sent over the internet in plaintext and could be read at the other end.

Another 96,000 Exchange credentials were sent using protocols that are far stronger and cannot be decrypted, but could be tricked into sending the same credentials over the wire in the clear.

Amit Serper, Guardicore’s security research lead for North America and the author of the research, developed an attack that bounced back the encrypted credentials with a request to the app to use a weaker level of security to send the email address and password again, prompting the app to re-send the credentials in cleartext.

Serper named the attack, perhaps fittingly, “The ol’ switcheroo.”

The domains also saw exposed credentials from real estate companies, food manufacturers, and publicly traded companies in China, Serper said.

For the average user, the leak is practically invisible. Guardicore is not immediately naming the apps that are the biggest culprits of leaked credentials, since many of the app makers are still working on rolling out fixes. Serper told TechCrunch that once the apps are fixed, the domains will be sinkholed but will remain under Guardicore’s control to prevent them from falling into the hands of malicious actors.

It’s not an exhaustive list of domains under Guardicore’s control, but companies and users can take their own precautions by blocking autodiscover domains at the top-level, Serper said. App makers can also not let their apps fail upwards outside of a company’s domain.

Read more:

Posted on

Demand Curve: Tested tactics for growing newsletters

Stewart Hillhouse Contributor
Stewart Hillhouse writes actionable growth marketing insights as senior content lead at Demand Curve. By night, he interviews marketers and creatives on his podcast, Top Of Mind. Before getting into marketing, Stewart was a semi-professional lumberjack. He also writes at stewarthillhouse.com.
More posts by this contributor

There are very few marketing channels as well rounded as email newsletters. They provide a direct, owned line of communication with your audience; nearly 40x return on investment (~$40 generated per every dollar spent), are infinitely scalable and virtually free.

But to unlock these benefits, you’re going to need to be strategic. In this article, I’m going to share tactics we’ve used at Demand Curve to grow our newsletter list to over 50,000 highly-qualified subscribers and maintain an open rate of over 50%.

Increase popup conversion using the 60% rule

While they’re often thought of as intrusive, pop-ups work. On average, they convert 3% of site visitors, and strategic, high-performing pop-ups can reach conversion of about 10%.

To make higher-converting, less intrusive pop-ups, try the 60% rule.

  1. Choose a page you’d like to put a pop-up on. We recommend pages that aren’t conversion-focused (like product pages, checkout and sign-ups). We’ve found content pages work the best and they can act as a signal for visitors who are looking for something specific.
  2. Open your website’s analytics and see what the average time spent on that page is.
  3. Set your pop-up to appear after 60% of the average time of that page has elapsed.

So if the average time spent on a page is 50 seconds, set your pop-up to appear 30 seconds (60% of total time) after visitors land on that page.

Why 60%? Readers have shown interest in your content, but are nearing the end of their session. Prompting them to join your newsletter to see more relevant content in exchange for their email will feel fair.

To encourage new subscribers to open your welcome email, try breaking the welcome email pattern using delayed gratification and a recognizable sender.

Give samples of your newsletter to prove quality

If a visitor is new to your content, asking them to sign up for your newsletter can be a big step, and most new visitors won’t convert. To narrow the gap between a new reader and subscriber, provide a sample on the sign-up page. Use your most engaging newsletter as a sample to prove that your content is high quality.

To source your most engaging content, filter by open rate and replies. In your email service provider, sort your previous editions by open rate. This will help you identify which subject lines are most popular with existing readers. Modify your most popular subject line to turn it into a header on your newsletter sign-up page.

Next, go into your inbox and sort by replies to your newsletter. Identify which newsletter got the most replies from your readers. This is a positive signal that the content from that edition resonated the most and would be a solid choice for your free sample.

Give samples of your newsletter to prove your quality

Image Credits: Demand Curve

Emails from real people are opened more often

People reflexively ignore welcome emails after they sign up. But, those who do open your welcome email are more likely to consistently open your newsletters.

To encourage new subscribers to open your welcome email, try breaking the welcome email pattern using delayed gratification and a recognizable sender.

Delay your welcome email by 45 minutes. This will bypass the reflex that new subscribers have to ignore an email that pings them seconds after signing up. We’ve found 45 minutes to be ideal, because the delay is long enough that it breaks the pattern, but not so long that your email gets buried in their inbox.

Send your welcome from a person, not from a business account. We’ve found this tactic to be especially effective when the sender is the founder of the business or someone with an established audience. Use a photo of that person and not your company logo to help the email stand out.

To avoid overflowing the sender’s real inbox, create a subdomain for your website that will be used exclusively for sending emails. Create an account for your sender and begin using it for your newsletter. This avoids overwhelming their inbox and maintains the health of your sending domain.

Emails from real people get opened more frequently

Image Credits: Demand Curve

Send a superissue to new subscribers

A new subscriber will be keen to receive their first issue. To ensure they’re satisfied, piece together your best content from past issues into a superissue. But be careful not to use the same content you included as samples on your sign-up page.

Send this first superissue with the welcome email so that your new subscribers are immediately receiving value from your newsletter. Starting with your best content first will get your subscribers excited to open future emails.

We’ve found that shorter welcome emails perform better than long-winded ones. Keep your welcome message short and your opening issue tight. Once they’ve received the welcome email and the first superissue, add them to the regular email cadence.

Send a super-issue to new subscribers

Image Credits: Demand Curve

Consider sending fewer emails

We polled over 24,000 marketers on Twitter asking whether people suffer from “newsletter fatigue,” causing them to unsubscribe.

The results: 80% of respondents unsubscribe when they get too many emails.

To avoid overwhelming your subscribers:

Give your subscribers control over how often they are emailed: Some subscribers want them weekly, while others want monthly. In the footer of your email, create opt-out links that allow subscribers to customize the cadence they’ll receive emails. Giving them the opportunity to opt out of frequent emails while still remaining subscribed keeps them as valid contacts on your email list. You want to avoid losing them completely as a subscriber.

Send fewer emails: Putting a constraint on how many emails you’re allowed to send every quarter will force you to be more thoughtful about the contents of those emails. A high volume of emails just for the sake of being in your subscribers’ inbox can burn you and your readers out. We’ve seen very little correlation between volume of emails and the resulting conversion rate.

Make your emails fun — not just educational

Most emails in your inbox are serious. To stand out, consider injecting some lighthearted memes, jokes or interesting links from around the web.

We’ve found this tactic works extremely well, because it gives your readers a dopamine hit in every email. Not every piece of newsletter content you write will resonate with every subscriber. Humor, on the other hand, can have broad appeal. Including interesting and fun content will ensure that every reader is left feeling satisfied.

It also helps build a habit. If every edition is slightly different, your reader will never be sure what they’re opening when a new edition hits their inbox. We’ve found that including something fun at the bottom of the newsletter gives readers a reward: Read the serious stuff, then get rewarded with the fun stuff.

We add a meme to each issue. People reply to tell us how much they appreciate it.

Add a funny meme or interesting content to engage your readers

Image Credits: Demand Curve

Make referrals seamless

Referrals are a free way to grow your newsletter. To increase the chances of subscribers referring you to others, make sure the process takes no longer than 25 seconds.

Remind readers at the end of each issue that they can refer others. A simple way is to ask them to forward the email to a friend who would find it interesting. Include a short sentence in the intro to your newsletter telling people being referred where they can subscribe. Include a link.

An advanced tactic is to include a subscriber’s unique link to a referral program so they can track how many people they’ve invited. Give them the option to share through email or social media.

You should also have a web version of every issue so that your content can be easily shared outside of email. Most email service providers will automatically generate a web link that you can promote through social media or elsewhere. You can also copy the content and post it to your website as a blog post to generate traffic from search engines.

Consider providing rewards to those who refer your newsletter. Merchandise will likely only work as an incentive if your brand is well known or very unique. We suggest incentivizing referrals using exclusive content. Send a monthly bonus issue to subscribers who have referred five or more friends. This will keep your costs down and give your subscribers more of what they already want.

Note that you will need a critical mass of subscribers before referrals will prove to be effective. We’ve found the threshold is about 10,000 subscribers. But if your audience is extremely engaged or the community you serve is active, implementing a free referral program has virtually no downside.

How to turn followers into subscribers

Your subscribers will likely become aware of your content through a social media channel, but social media audiences are rented from the platform — you do not own a direct channel to communicate with them. Converting followers into newsletter subscribers is one way to control a direct line of communication and deepen your relationship with your audience.

When pitching your followers to subscribe to your newsletter, include a link in your bio. This may sound obvious, but many people don’t do it. When someone comes across your social media profile, make signing up for your newsletter the call to action. Otherwise, they’ll have no idea that you even have a newsletter.

You could also cut a Twitter thread or LinkedIn post short and tell people to subscribe for the rest of the insights. You probably don’t want to overuse this tactic.

Create an offer or unique piece of content that can only be accessed through the newsletter. This will motivate your followers to join your email list to get access to exclusive content or unique offers.

Recap

Getting new subscribers: Use pop-ups that are relevant and only to high-intent readers on your site. Provide proof of why they should subscribe to your newsletter with sample content. Make your welcome email stand out and front-load the first issue with your best content.

Keeping subscribers: To keep your subscribers wanting more, send fewer emails. Sprinkle in humor and interesting links to turn your newsletter into a habit.

Promoting your newsletter: Use exclusivity and offers to hook your social media followers into subscribing to your newsletter. Ask your subscribers to refer your newsletter to others to grow your subscriber base.

Demand Curve: 7 ad types that increase click-through rates

Posted on

Sedna banks $34M for a platform that parses large volumes of email and chat to automatically action items within them

Many have tried, but email refuses to die… although in the process it might be (figuratively speaking) killing some of us with the workload it brings on to triage and use it. A startup called Sedna has built a system to help with that — specifically for enterprise and other business customers — by “reading” the text of emails, and chats, and automatically actioning items within them so that you don’t have to. And today, it’s announcing funding of $34 million to expand its work.

The funding, a Series B, is being led by Insight Partners, with Stride.VC, Chalfen Ventures and the SAP.iO fund (part of SAP) also participating. The funding will be used to continue building out more data science around Sedna’s core functionality, with the aim of moving into a wider set of verticals over time. Currently its main business is in the area of supply chain players, with Glencore, Norden, and Bunge among its customers. Other customers in areas like finance include the neobank Starling. London-based Sedna is not disclosing valuation.

Bill Dobie, Sedna’s CEO and founder, said the idea for the company was hatched out of his own experience. “I spent years building software to help users be more productive, but no matter what we built we never really reduced people’s workload.” The reason: the millstone that is called email, with its endless, unsolicited, inbound messages, some of which (just enough not to ignore) might be important. “What really struck me was how long it spent to move items out of and into email,” he said of the “to-do’s” that arose out of there.

Out of that, Sedna was built to “read” emails and give them more context and direction. Its system removes duplicates of action items and essentially increases the strike rate when it comes people’s inboxes: what’s in there is more likely to be what you really need to see. And it does so at a very quick speed.

“Our main value is the sheer scale at which we operate,” Dobie said. “We read millions or even billions of messages in sub second response times.” Indeed, while many of us are not getting “millions” of emails, there is a world of messaging out there that needs reading beyond that. Think, for example, of the volume of data that will be coming down the pike from IoT-based diagnostics.

“Smart” inboxes have definitely become a thing for consumers — although arguably none work as well as you wish they did. What’s notable about Sedna has been how it’s tuned its particular algorithms to specific verticals, letting them get smarter around the kind of content and work practices in particular organizations.

Right now the work is driven by an API framework, with elements of “low code” formatting to let people shape their own Sedna experiences. The aim will be to make that even easier over time. AN API driven frame work right now, some low code we’re heading into, but mostly its SAP or shipping or trading system that understands the transaction under way, then Sedna uses a decision tree to categories. 

Another area where Sedna might grow is in how it handles the information that it ingests. Currently, the company’s tech can be interconnected by a customer to then hand off certain work to RPA systems, as well as to specific humans. There is an obvious route to developing some of the second stage of software there — or alternatively, it’s a sign of how something like Sedna might get snapped up, or copied by one of the big RPA players.

“Bill started reimagining email where it was most broken and therefore hardest to fix—large teams managing huge volumes and complicated processes,” said Rebecca Liu-Doyle, principal at Insight Partners, in a statement. “Today, Sedna’s power is in its ability to introduce immense speed, simplicity, and delight to any inbox experience, regardless of scale or complexity. We are excited to partner with the Sedna team as they continue to make digital communication more intelligent for teams in global supply chain and beyond.” Liu-Doyle is joining the board with this round.

SAP is a strategic investor in this round, as Sedna potentially helps its customers be more productive while using SAP systems. “SAP continues to partner with SEDNA to deliver value to SAP customers. The ability to turn complex information into simpler intelligent collaboration has been a growing priority for many SAP customers,” said Stefan Sauer, global transport solutions Lead at SAP, in a statement.

Posted on

An email sent by One Medical exposed hundreds of customers’ email addresses

Primary care company One Medical has apologized after it sent out an email that exposed hundreds of customers’ email addresses.

The email sent out by One Medical on Wednesday asked to “verify your email,” but one email seen by TechCrunch had more than 980 email addresses copied on the email. The cause: One Medical did not use the blind carbon copy (bcc:) field to mass email its customers, which would have hidden their email addresses from each other.

Several customers took to Twitter to complain, but also express sympathy for what was quickly chalked up to an obvious mistake. Some users reported varying numbers of email addresses on the email that they received.

We asked One Medical how many customers had their email addresses exposed and if the company plans to report the incident to state governments, as may be required under state data breach notification laws, but we did not immediately hear back.

In a brief statement posted to Twitter, One Medical acknowledged the mistake, said: “We are aware emails were sent to some of our members that exposed recipient email addresses. We apologize if this has caused you concern, but please rest assured that we have investigated the root cause of this incident and confirmed that this was not caused by a security breach of our systems. We will take all appropriate actions to prevent this from happening again.”

On the scale of security lapses, this one is fairly low down on the impact scale — compared to a breach of passwords, or financial and health data. But the exposure of email addresses can still be used to identify customers of the company.

The San Francisco-based One Medical, backed by Google’s parent company Alphabet, went public last year just prior to the start of the pandemic.

Read more:

Posted on

Reform your startup’s meeting culture

Chuck Phillips Contributor
Chuck Phillips is the co-founder of MeetWell, an application that enables teams to achieve a better work-life balance while saving companies money by reducing the amount of bad meetings they attend.

Bad meetings are the fast food of the knowledge worker; it’s so deliciously quick and easy to throw a 60-minute default meeting on everyone’s schedule, but the long-term costs are extremely unhealthy.

Busy meeting organizers drive-thru schedule meetings because they think they don’t have time to plan. They expect good outcomes to come from little preparation, which doesn’t happen. The meetings are being held and progress is stilted.

One way to save everyone significant time (and win lots of friends) would be to just get rid of all meetings, but a well-prepared and well-run session can expedite communication and get a team closer to its goals. Unfortunately, most meetings are lazily planned and poorly run, imprisoning attendees and halting productivity.

So how can you separate the good meetings from the bad?

Measure your meeting waistline

No one measures the impact of their meetings. So the first step is to start keeping meeting metrics so that you can identify the bad meetings on your teams’ calendars.

Every time a recurring meeting is added to a calendar, a kitten dies.

My company has created a calendar assistant that automatically measures and stops bad meetings before they occur, but if you can’t automate the prevention of bad meetings, survey and learn from attendees after the meeting to record and measure them.

Create taxonomies and quantify the types of meetings that are being held — for example: “information sharing,” “brainstorming,” “1:1,” “decision-making,” etc.

After several months (ideally a year) of collecting metrics, you can grade the quality and look for patterns. You will probably find something along these lines:

  • Very few employees decline meetings, even when it’s obvious that the meeting is going to be a doozy.
Posted on

UK PM Boris Johnson’s Tories guilty of spamming voters

The governing party of the UK has been fined £10k by the national data protection watchdog for sending spam.

The Information Commissioner’s (ICO) Office has sanctioned the Conservative Party following an investigation triggered by complaints from 51 recipients of unwanted marketing emails sent in the name of prime minister, Boris Johnson.

The emails in question were sent during eight days in July 2019 after Johnson had been elected as Party leader (and also therefore became UK PM) — urging the recipients to click on a link that directed them to a website for joining the Conservative Party.

Direct marketing is regulated in the UK by PECR (the Privacy and Electronic Communications Regulations) — which requires senders to obtain individual consent to distribute digital marketing missives.

But the ICO’s investigation found that the Conservative Party lacked written policies addressing PECR and appeared to be operating under the misguided assumption that their “legitimate interests” overrode the legal requirements related to sending this type of direct marketing.

The Party had also switched bulk email provider — during which unsubscribe records were apparently lost. But ofc that’s not an excuse for breaking the law. (Indeed, record-keeping is a core requirement of UK data protection law, especially since the EU General Data Protection Regulation was transposed into national law back in 2018.) And the ICO found the Tories were unable to adequately explain what had gone wrong.

In another damningly twist, the Conservative Party had been subject to what the ICO calls “detailed engagement” at the time it was spamming people.

This was a result of wider action by the regulator, looking into the ecosystem and ethics around online political ads in the wake of the Cambridge Analytica scandal — and the Party had already been warned of inadequate standards in its compliance with data protection and privacy law. But it went ahead and spammed people anyway. 

So while ‘only’ 51 complaints were received by the ICO from individual recipients of Boris Johnson’s spam, the ICO found the Tories could not fully demonstrate they had the proper consents for over a million (1,190,280) direct marketing emails sent between July 24 and 31 2019. (The ICO takes that view that at least 549,030 of those, which were send to non-Party members, were “inherently likely” to have the same compliance issues as were identified with the emails sent to the 51 complainants.)

Moreover, the Party continued to have scant regard for the law as it spun up its spam engines ahead of the 2019 General Election — which saw Johnson gain a landslide majority of 80 seats in a winter ballot.

“During the course of the Commissioner’s investigation, the Party proceeded to engage in an industrial-scale direct marketing email exercise during the 2019 General Election campaign, sending nearly 23M emails,” the ICO notes. “This generated a further 95 complaints to the Commissioner, which are likely to have resulted from the Party’s failure to address the compliance issues identified in the Commissioner’s investigation into the July 2019 email campaign and the wider audit of the Party’s processing of personal data.”

Its report also chronicles “extensive delays” by the Conservative Party in responding to its requests for information and clarification — so while it was not found to have obstructed the investigation the regulator does write that its conduct “cannot be characterised as a mitigating factor”.

While the ICO penalty is an embarrassing slap for Boris Johnson’s Tories, a data audit of all the main UK political parties it put out last year spared no blushes — with all parties found wanting in how they handle and safeguard voter information.

However it’s only the Conservatives’ fast and loose attitude toward people’s data and privacy online that could have contributed to them being able to consolidate power at the last election.

UK watchdog eyeing PM Boris Johnson’s Facebook ads data grab

Data audit of UK political parties finds laundry list of failings

Brexit means clear your cookies for democracy

Posted on

Hackers are targeting employees returning to the post-COVID office

With COVID-19 restrictions lifting and employees starting to make their way back into offices, hackers are being forced to change tack. While remote workers have been scammers’ main target for the past 18 months due to the mass shift to home working necessitated by the pandemic, a new phishing campaign is attempting to exploit those who have started to return to the physical workplace.

The email-based campaign, observed by Cofense, is targeting employees with emails purporting to come from their CIO welcoming them back into offices.

The email looks legitimate enough, sporting the company’s official logo in the header, as well as being signed spoofing the CIO. The bulk of the message outlines the new precautions and changes to business operations the company is taking relative to the pandemic.

If an employee were to be fooled by the email, they would be redirected to what appears to be a Microsoft SharePoint page hosting two company-branded documents. “When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials,” explains Dylan Main, threat analyst at Cofense’s Phishing Defense Center.

However, if a victim decides to interact with either document, a login panel appears and prompts the recipient to provide login credentials to access the files.

“This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel,” Main continued. “By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.”

Another technique the hackers are employing is the use of fake validated credentials. The first few times login information is entered into the panel, the result will be the error message that states: “Your account or password is incorrect.”

“After entering login information a few times, the employee will be redirected to an actual Microsoft page,” Main says. “This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information.”

While this is one of the first campaigns that’s been observed targeting employees returning to the workplace (Check Point researchers uncovered another last year), it’s unlikely to be the last. Both Google and Microsoft, for example, have started welcoming staff back to office cubicles, and the majority of executives expect that at least 50% of employees will be back working in the office by July, according to a recent PwC study.

“We saw threat actors follow the trends throughout the pandemic, and we expect they are likely to leverage themes of returning to work in their attacks in the coming months,” Tonia Dudley, a strategic advisor at Cofense, told TechCrunch. “We can expect remote workers to continue to be targeted as well. While employers begin to bring staff back to the office, it’s likely we’ll see a hybrid model of work moving forward. Both groups will be targets for phishing attacks.”

Threat actors typically adapt to exploit the global environment. Just as the shift to mass working over remote connections led to an increase in the number of attacks attempting to exploit remote login credentials, it’s likely the number of attacks targeting on-premise networks and office-based workers will continue to grow over the coming months.

What you need to know about COVID-19-related cyberattacks

Posted on

MessageBird acquires SparkPost for $600M using $800M Series C extension

MessageBird, a communications platform out of the Netherlands, had a busy day today with two huge announcements. For starters, the company got an $800 million extension on its $200 million Series C round announced last October. It then applied $600 million of the extension to buy email marketing platform SparkPost. The company’s C round now totals at least $1 billion.

Let’s start with the acquisition. MessageBird CEO Robert Vis says his company had an email component prior to the acquisition, but the chance to pick up the largest email provider in the world was too good to pass up.

“If you talk about infrastructure, we’re defining largest […] as a matter of interactions, so basically the amount of emails sent. SparkPost sends about 5 trillion emails a year. And the second thing that’s very important to us is to be able to send high scale emails when it’s really critical,” Vis told me.

With the company in the fold, it enables MessageBird, which has mostly been in Europe and Asia, to get a stronger foothold in the U.S. market. “So this is as much for us about the technology around SparkPost as it actually is for us to have market entry into the United States with a significant workforce instead of having to build that from scratch,” Vis said.

MessageBird acquires real-time notifications and in-app messaging platform Pusher for $35M

Rich Harris, CEO of SparkPost sees the deal as a way to expand SparkPost to multiple channels already available on the MessageBird platform and be a much more powerful combination together than it could have been alone.

“By joining forces with MessageBird, we will be able to bring broader, deeper value to all of our customers through any digital communications,” Harris said in a statement.

Vis agrees saying it gives his company the opportunity to upsell other MessageBird services to SparkPost customers. “SparkPost obviously only offers email. We can offer SmartPost customers way more channels. We can offer them texting, Instagram, WhatsApp or Apple Business Chat. So we feel very excited about leveraging them to go sell much more broad messenger products to their customers,” Vis said.

How Klaviyo transformed from a lifestyle business into a $4.15B email titan

MessageBird announced its $240 million Series C on a $3 billion valuation last October. The company’s whopping $800 million extension brings the round to around $1 billion. It’s worth noting that the round isn’t completely closed yet, so that’s not an official figure.

“The round isn’t completely closed yet as we are still waiting on some of the funds to come in, so we cannot give you 100% final figures on the round, but we can say with confidence that the round will close at $1B or slightly higher,” a company spokesperson explained. It is announcing the funding before everything is 100% done due to regulatory requirements around the acquisition.

Eurazeo, Tiger Global, BlackRock and Owl Rock participated in the extension along with Bonnier, Glynn Capital, LGT Lightstone, Longbow, Mousse Partners and NewView Capital, as well as existing investors such as Accel, Atomico (they led the Series A and B rounds) and Y Combinator. The mix is 70% equity and 30% debt, according to the company.

Today’s acquisition comes on the heels of two others just last month when the company announced it was acquiring video meeting startup 24Sessions and Hull, a synchronization technology startup. The company also acquired Pusher, a push notification company in January, as MessageBird is using its Series C cash to quickly expand the platform.

MessageBird, the ‘omnichannel platform-as-a-service,’ raises $200M Series C at $3B valuation

Posted on

Education nonprofit Edraak ignored a student data leak for two months

Edraak, an online education nonprofit, exposed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently by mistake.

The nonprofit, founded by Jordan’s Queen Rania and headquartered in the kingdom’s capital, was set up in 2013 to promote education across the Arab region. The organization works with several partners, including the British Council and edX, a consortium set up by Harvard, Stanford and MIT.

In February, researchers at U.K. cybersecurity firm TurgenSec found one of Edraak’s cloud storage servers containing at least tens of thousands of students’ data, including spreadsheets with students’ names, email addresses, gender, birth year, country of nationality and some class grades.

TurgenSec, which runs Breaches.UK, a site for disclosing security incidents, alerted Edraak to the security lapse. A week later, their email was acknowledged by the organization but the data continued to spill. Emails seen by TechCrunch show the researchers tried to alert others who worked at the organization via LinkedIn requests, and its partners, including the British Council.

Two months passed and the server remained open. At its request, TechCrunch contacted Edraak, which closed the servers a few hours later.

In an email this week, Edraak chief executive Sherif Halawa told TechCrunch that the storage server was “meant to be publicly accessible, and to host public course content assets, such as course images, videos, and educational files,” but that “student data is never intentionally placed in this bucket.”

“Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket,” Halawa confirmed.

“Unfortunately our initial scan did not locate the misplaced data that made it there accidentally. We attributed the elements in the Breaches.UK email to regular student uploads. We have now located these misplaced reports today and addressed the issue,” Halawa said.

How to respond to a data breach

The server is now closed off to public access.

It’s not clear why Edraak ignored the researchers’ initial email, which disclosed the location of the unprotected server, or why the organization’s response was not to ask for more details. When reached, British Council spokesperson Catherine Bowden said the organization received an email from TurgenSec but mistook it for a phishing email.

Edraak’s CEO Halawa said that the organization had already begun notifying affected students about the incident, and put out a blog post on Thursday.

Last year, TurgenSec found an unencrypted customer database belonging to U.K. internet provider Virgin Media that was left online by mistake, containing records linking some customers to adult and explicit websites.

More from TechCrunch:

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

Posted on

FatFace tells customers to keep its data breach ‘strictly private’

Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.

The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.

“We immediately launched an investigation with the assistance of experienced security specialists who, following thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month,” the email said.

But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.

Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”

In a statement sent via crisis communications firm Kekst CNC, FatFace said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential.” (FatFace declined to attribute the statement to a named spokesperson.)

TechCrunch obtained a near-identical email sent to its staff from a former employee who asked not to be named. The email to employees was largely the same as the customer email, but warned that staff may have had their bank account information and their National Insurance numbers — the U.K. equivalent of Social Security — compromised.

FatFace confirmed “a select number of employees, former employees and customers and providing appropriate guidance and support,” but would not say specifically how many customers and employees were affected by the breach.

How to decode a data breach notice