Security Experts:

Connect with us

Hi, what are you looking for?


Email Security Flaw Exposes Volunteer Email Addresses, a non-profit organization that helps students learn computer science, informed users over the weekend that a flaw on its website allowed unauthorized parties to access the email addresses of its volunteers., a non-profit organization that helps students learn computer science, informed users over the weekend that a flaw on its website allowed unauthorized parties to access the email addresses of its volunteers.

The organization learned of the vulnerability on Friday night after at least ten of its volunteers received unwanted job offers from a Singapore-based recruiting firm that had leveraged the “error” to obtain private email addresses.

After being contacted by for an explanation, the recruiting company appologized and promised to delete the collected email addresses and stop sending messages to the addresses it obtained by exploiting the bug.

“Based on [the recruiting firm’s] response, it’s possible the vulnerability may have had limited impact, but we can’t be sure,” Hadi Partovi, CEO of, wrote in a blog post. “Regardless, we’ve also inspected and secured the rest of our site from similar vulnerabilities.”

The vulnerability was quickly patched and Partovi pointed out that this was not a data breach, rather a mistake on their part that left volunteer email addresses “accessible via the web browser.”

The CEO said none of its servers were vulnerable, and the details of its 10 million teachers and students were not exposed at any time. Partovi also noted that the organization does not store the email addresses of students aged under 13.

In an email sent to affected individuals, said the incident was caused by a client-side vulnerability in its volunteer map. The email also revealed that location data was also exposed if it was provided to

Related: Verizon Fixes Vulnerability Exposing User Email Accounts

Related: Leaky Databases Expose 25 Million Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...