Comments on: Unethical pre-checking: How StumbleUpon hijacked my address book

By: Hillel Max

Hillel Max — Sun, 06 Jul 2008 19:44:46 +0000

i wanted to share a video with two friends, somehow it had all my email addresses i ever used in aol and sent the video to everyone, the select all button was checked by default and i did not realize it. I an not figure out how to remove my contacts. I hate this website now even though the concept is great.

By: Marilyn Sholin

Marilyn Sholin — Wed, 26 Mar 2008 14:12:26 +0000

Remembered this happened to when it happened to me today with a site called TAGGED. Do not join, if you did get OUT now. It told me I had people already in my address book that were TAGGED members and to log in to see who they were. It then proceeded to steal my address book and send an invite (without asking my permission) to everyone in there. This is taking hours of my time to get my friends family and opt ins to newsletters (8000 email addresses!) out of TAGGED.

At this point it also has me too busy fixing things to get to the bottom of them. But eventually, I will.

Marilyn

By: Christopher Elliott

Christopher Elliott — Wed, 10 Oct 2007 00:00:36 +0000

Eric, thanks for jumping in with an answer. It’s very much appreciated. I think the change you’ve made is a step in the right direction. But let me also suggest adding an “are you sure?” screen after people have designated who they want to invite — something that says, in effect, “You are about to invite the following 9,000 people to join StumbleUpon.”

Also, the “opt-out” on the invites has freaked a lot of people out. It implies they’ve been added to some kind of list. Maybe there’s a way of clarifying that this is a one-time invitation without scaring them. Just a thought or two.

By: Eric Goldberg

Eric Goldberg — Tue, 09 Oct 2007 22:53:44 +0000

(Posted this on your follow-up article as well)

Hello,

I’m an engineer for StumbleUpon, and I am implementing a fix for the problem you note herein.

The root of the problem is, both “Select All” controls check/uncheck *all* checkboxes on the page, not just the ones in the section they are nearest. So when you deselected the bottom Select All, you deselected both emails and friends already on SU. Then when you selected the top Select All, you reselected everyone on the page.

As more and more people join StumbleUpon, more data is pushed “below the fold” on the Invite Friends page, and the functionality of the Select All controls become less and less clear.

As a fix, I have recoded the controls to only select/deselect the checkboxes for the section above which they sit. This should make it more clear to our users which boxes will be checked and unchecked.

Also, we do not store your login credentials in any way, nor will we spam your friends.

Thanks,
Eric Goldberg
StumbleUpon Dev Team

By: Atticus Rominger

Atticus Rominger — Thu, 04 Oct 2007 20:02:43 +0000

They got me. I signed up, figured Chris was on to something good. It just goes to show you, though, underhanded deeds don’t pay in the long-run. I was skeptical enough not to share withe any friends… and now I’ll be unsubscribing.

By: shailesh ghimire

shailesh ghimire — Thu, 04 Oct 2007 04:23:21 +0000

Same thing happened to me. It really irked me as well. A few friends e-mailed me back and asked what it was about. Most folks ignored it.

By: Joe F.

Joe F. — Wed, 03 Oct 2007 20:57:46 +0000

Hey – their sign up program email harvesting does not work with macs. We tried with a new mac using a bogus set of addresses here in the office. It did not and could not find the entourage or MacMail address book. Yet another reason to own macs.

I would be interested to see which browser you were using when your address books got hijacked – I would be willing to bet it was 100% Internet Explorer – since the click to sign up probably added an active x control to look for the outlook and outlook express address books and automatically harvest them.

Chris, I’m with Ron above – how did you fall for this one!?

By: Jonathan

Jonathan — Wed, 03 Oct 2007 18:25:41 +0000

Well, at least all you could give them of mine own info, was the “junk mail” info I had given to you (an alternate email and pseudonom, I only use for subscriptions).

By: Jeffrey Kafer

Jeffrey Kafer — Wed, 03 Oct 2007 17:40:14 +0000

I had the same problem with Quechup.com. Sent stupid emails to everyone, hundreds of people. And I’m a voice-over artist, so it sent emails to clients, former clients, agents, contacts, etc. Totally embarrassing. I feel your pain.

By: Eli

Eli — Wed, 03 Oct 2007 17:39:58 +0000

My wife ran into the same problem with a site called Quechup.com. Someone sent her an invite and when she signed up, she unchecked the box for her gmail address book, but it still sent it to hundreds of people. The worst part was that gmail automatically stores addresses you have replied to on a one-time basis. So it sent an invite to more than just the regular people on her contact list.

By: Ed Ferrell

Ed Ferrell — Wed, 03 Oct 2007 17:05:58 +0000

LinkedIn seems to do something similar. While I don’t think it sends emails it did scour my address book and compared it to those who’ve already signed up for LinkedIn. And I think all without my asking them to.

By: Chicky

Chicky — Wed, 03 Oct 2007 15:55:18 +0000

Yeah, those pre-checked boxes are insidious. I always look for them, anytime I have to set up anything online. It’s a creeping menace. Sheesh!

By: Karen Fawcett

Karen Fawcett — Wed, 03 Oct 2007 15:00:20 +0000

Chris … I do EVERYTHING you say but boy was this a whammy.

I do hope I’ll have some friends left after StumbleUpon “helped itself” to my address book. wow….what a scam!

BUT – you’re still the best.

By: Nancy Redd

Nancy Redd — Wed, 03 Oct 2007 11:57:14 +0000

I submitted this to Consumerist because it is VERY important to know – what an invasion of privacy (not to mention embarrassing regarding exes and other contacts who have fallen by the wayside)!

Spirit Airlines almost gets me all the time with their pre-checked Travel Insurance or whatever that is. I’m sure tons of people get scammed and pay for it when shopping for super cheap flights on their site.

By: Christopher Elliott

Christopher Elliott — Tue, 02 Oct 2007 23:14:06 +0000

I’m still baffled at how efficiently StumbleUpon harvested my entire address book, and appreciate all of the advice in the comments. I’ve spent some time on the site today and am disappointed by the experience. Although there’s no hard evidence that StumbleUpon will continue using these e-mail addresses, I’m going to write them to ensure they are never repurposed.