PSA: we might have accidentally leaked your email address and birth date :(

Hi!

Sorry to say, but if you add annotations, we’ve likely accidentally leaked your email address and birth data in JSON code shown in some pages’ source. So if you have found yourself receiving spammy emails to an account you only use in MusicBrainz, that’s probably why. We have hotfixed the bug now (and be reassured this didn’t affect any actual passwords, so you don’t need to rush to change them anywhere), but it’s still pretty embarrassing, so sorry again!

You can read more about the issue, how we found it and what we are doing to avoid similar issues in the future from our blog:

Honestly, I’d rather have my password divulged than my email and birthdate, lol.

But, my own idiosyncrasies aside, does this apply to people who removed an annotation.
as example, I have deleted far more annotations than I have written them. Typically they are “old” annotations who’s data was now included in other sections, such as wikipedia-type biographies, alias lists, or cast lists for albums.

Thank you for telling us and fixing this. I assume you are also emailing people about this? I do remember questions in the forum on this a while back.

My email address is unique to here and only a very small number of other sites. So it is good to see that the spam is pretty limited as I not seen any. Thank you for a very detailed explanation. (And people call me paranoid when I don’t share my real details with a site when asked… )

Hopefully the person who thought abusing birth dates by sending birthday cards is sitting on a cold naughty step with a large boring book of GDPR rules to read

Look at the positive. “Email and date of birth” does not include your actual name. So the scammer will fail to get that credit card in your name.

Unless your name really is “justcheckingitout” which would leave some interesting questions to your parents…

So now those hackers can congratulate me on my birthday? Damn!

As far as I know, you can’t delete an annotation, just empty it and save it, so you would be the last to have edited that annotation.

I can’t say I have been receiving more spam, by the way.

EDIT: the blog post doesn’t mention reporting the leak to the Spanish data protection agency. I’m not sure of the legal status of MetaBrainz (US foundation, but very present in Spain at the moment) and the exact requirements, but you likely have to report it at a EU data protection agency.

We aren’t currently planning to send emails, because it would probably require hiring an external company to do so (since the amount of emails is large enough they’d probably blocked as spam), but if people feel strongly enough about us doing this, we will

It’s probably what would make another notice appear for my email, in the handy Firefox Monitor?

We’re a California 501.c.3 non-profit; our spanish org is only for maintaining an office here and it literally named as such – its a “pass through” organization that shunts all matters that don’t related to the office in Spain, to the California org.

I’ve also examined the new California Consumer Privacy Act and it doesn’t apply to us nor do I see a stipulation about notifying anyone about the breach.

I think our disclosure is sufficient as far as the applicable laws are concerned. Our main concern is ensuring that our community is happy with our efforts.

No, I think those alerts are added only when a data dump is found our in the wild – in this case there is no comprehensive dump floating about. And clearly we cannot send the affected email addresses to anyone for notification purposes, that would be worse than the leak itself.

I’m no lawyer, but you do process data of EU citizens and through the foundation’s supporters and sponsors you are doing business in the EU. Wouldn’t it be better to be safe than sorry and at least contact your legal representation or the Spanish DPA to make sure you are in the clear? No offence, but thinking your disclosure is sufficient is probably not sufficient.

I’m just adding this even simpler tool that Firefox Monitor is based on:

Have I Been Pwned?
Check if you have an [email address] that has been compromised in a data breach.

I don’t know if it’s safe to write our email address in their form…
But I did it myself:

Oh no — pwned!
Pwned on 12 breached sites and found 2 pastes.

OK, I will upgrade my statement to “I am confident that we don’t need to report this to anyone.”

However, in an effort to not make it seem like I am blowing you off, I will pose this question to our board of directors so that they may chime in and have the last word on this. Stay tuned.

Gee, thanks…

What I find particularly heinous about the leak itself is that it de-anonymized users. The Wikimedia Foundation takes anonymity very seriously, and I can’t imagine them treating such an issue with similar glibness. Honestly, this might be the end of my contributions to MetaBrainz projects.

Yes, and we’re very sorry about that. I don’t think we’re not taking it seriously, and as I did mention above, if people think we should be mailing everyone who could be affected and it will be useful rather than making them annoyed to receive the email, we will. I think the only difference is the understanding of whether a report is needed or not.

FWIW I did take the Spanish test @mfmeulenbelt linked to (which honestly was pretty confusingly written even for a native Spanish speaker ) and the automatic answer it gave me was basically “our system is not sure how to deal with this situation so we don’t know whether you should do anything, we guess you should probably let your users know, either contacting everyone directly or via a public notification if contacting everyone seems too complicated.” It felt like it was mostly meant for stuff like leaks of medical or financial data rather than emails and whatnot.

Hopefully you end up deciding to stay! But if you decide to go, thanks for all the good contributions in the meantime and sorry about the whole thing!

As an aside, given how un-seriously they took the whole issue with the copyright trolls we had a couple years ago, I don’t have a lot of trust on the WMF’s way of dealing with anything, to be honest (and I say this as someone in the board of a Wikimedia chapter), and my understanding is that a lot of users are unhappy with the WMF not taking them seriously for most things. But hopefully you’re right about that

Thanks for the transparent communication on this incident. As other users have hinted, I do think an email to all affected users would be necessary (unless you have evidence that your blog post has already reached them, which I guess would be difficult to prove). Even though the Foundation may not be bound by GDPR, as one of its effects users’ expectations in terms of disclosure are probably higher than they used to be. Also, even inactive users may want to take action as a result of the incident. Other users have already argued for reporting the incident to a DPA, which I would also strongly consider given the potential consequences.

I’d like MB to provide a timeline of how this played out.

When did it first appear likely that users’ emails had been exposed?
It appear users were first notified on 2020-11-23. Is this correct?

The exposing of users’ email addresses shows that MB had code running that could harm users.
Please include starting time, finishing time, and the priority given to any sweep of all MB code for other instances of potentially harmful code.

There has been a mistake that has significantly reduced my confidence in MB procedures.
How that mistake has been responded to by MB is what may, at least partially, redeem MB.

The blog post linked above has some details on this. Obviously It looks like the issue was introduced with a release on 2019-04-26 and fixed with a hotfix on November 22.

Thank you for the timely response and allowing this discussion on the topic. All opinions and concerns are valuable input. The more I read the forum, and listening to member input the greater appreciation and trust I have for ALL those involved. Mistakes happen even in the best environments, admittedly this is an interesting or puzzling one, but it has been fixed. I trust what else needs to be done will happen after careful review.

Obviously - when I haven’t read the blog post?

[redacted]