tlamprecht
Member
- Affected version
- v2.2.13
Hello,
We got a report from a new forum user that their freshly created email alias (using the proton email provider) used to create an account on our forum quite quickly got spam and phishing messages afterwards. Something that didn't happen with other such aliases used by them.
I then checked and saw that one of our mods used the spam cleaner on their account as it was flagged due to also using an VPN with an IP that was recently reported for spam, then I wondered if StopForumSpam might have leaked it.
And indeed, after searching I found their literal email address with our forum name as user-address part in the public (!!) stop forum spam DB, but we have the "Hash emails before submission" option enabled (I just rechecked, it's still ticked), so why can this still happen and isn't this a breach against GDPR?
I mean that StopForumSpam exposes such information publicly, without account or the like required is wild, but that's a different topic and not in control of XF devs, but having the email address listed there in (unhashed) plain text was rather unexpected to say the least.
We got a report from a new forum user that their freshly created email alias (using the proton email provider) used to create an account on our forum quite quickly got spam and phishing messages afterwards. Something that didn't happen with other such aliases used by them.
I then checked and saw that one of our mods used the spam cleaner on their account as it was flagged due to also using an VPN with an IP that was recently reported for spam, then I wondered if StopForumSpam might have leaked it.
And indeed, after searching I found their literal email address with our forum name as user-address part in the public (!!) stop forum spam DB, but we have the "Hash emails before submission" option enabled (I just rechecked, it's still ticked), so why can this still happen and isn't this a breach against GDPR?
I mean that StopForumSpam exposes such information publicly, without account or the like required is wild, but that's a different topic and not in control of XF devs, but having the email address listed there in (unhashed) plain text was rather unexpected to say the least.