Blind is a workplace social network that lets employees at various companies discuss sensitive topics anonymously. The company describes it as a safe place where workers can talk about salaries, workplace concerns and employee misconduct without being identified. But Blind recently left a database server unsecured, exposing some of its users' account information, including their corporate email addresses.
The data exposure was first reported by TechCrunch, and it was uncovered by a security researcher going by the name Mossab H. The database included user posts and private comments as well as passwords that were stored via the outdated MD5 algorithm. TechCrunch said it was able to unscramble many of those passwords using easily accessible tools. Further, while TechCrunch didn't find any comments or messages linked to email addresses, it did find email addresses, many stored in plaintext, that were linked to members that hadn't yet posted on Blind.
Blind says it has users from more than 70,000 companies including Microsoft, Amazon, Google, Uber and Facebook, and this type of data exposure will likely be troubling to many. Among those whose email addresses were exposed were senior executives at major tech companies, according to TechCrunch, and some of the accessible private messages included serious allegations. TechCrunch said Blind only secured the database once it sent a follow up email a week after the company was first notified. Blind told the publication that only users who signed up or logged in between November 1st and December 19th were affected, or, as it told Gizmodo, an estimated 10 percent of its user base.
In conversation with Gizmodo, Blind claimed the data in question had been moved over to a test environment and that under typical circumstances it would have been "immediately deleted or encrypted" afterwards. "It was our mistake to decide to store them, for whatever purpose, and not taking enough caution to protect them. We deleted all data immediately after we found out," Kyum Kim, head of the company's US operations, told Gizmodo. "Our policy has always been to make sure even we can't identify the users, and for over 90 percent of the users who have not been affected, that remains the same and their email has never existed anywhere in our database. And it is true that we cannot identify anyone even with full access to our servers."
Kim told TechCrunch that the company had found no evidence of database misuse and Blind began notifying affected users this week.