Dashlane's support center recently compromised my privacy on Twitter, an incident which I hope will serve as a cautionary tale for customer support representatives everywhere.
First let me begin by saying that I've been using Dashlane's password management app for several months now, and overall I have been very happy with my experience. Dashlane has cut back on the time it takes for me to update my passwords, (I usually do this on a monthly basis.) and it has truly streamlined certain parts of my workday. It's been a good ride, more or less.
Well last week, I noticed some issues with Dashlane's app for OS X. Specifically, even though I have had two-factor authentication (2FA) enabled on my account since the very beginning, the app was freezing whenever I entered my security codes.
I tried uninstalling and reinstalling the software to no avail. When this didn't work, I decided to reach out to the password management company directly.
On Sunday, I contacted Dashline Support on Twitter. I described to them my problem, and after a few additional exchanges, they requested that I provide them with my email address in a direct message (DM).
So, I handed over my email address via a DM, expecting a confirmation soon thereafter.
It wasn't until the next day, however, that Dashlane Support confirmed that they had sent me an email. There was just one problem. They told me this in a public tweet, and they fully disclosed my email address therein.
I immediately asked them to take down the offending the tweet, but there was no response. In fact, I didn't hear from Dashlane again until some 20 hours later, by which time several individuals had noticed that Dashlane had tweeted out my email address.
The password management company's support center apologized for the disclosure and stated that it had removed the tweet.
I have since confirmed the tweet's removal.
I want to keep things in perspective here.
My case is not like that of Eric Springer, an Amazon user whose shipping address, phone number, and perhaps even credit card number were exposed after an attacker social engineered his way around Amazon customer support.
Unlike financial data, email addresses are not inherently sensitive information. In fact, as security expert Troy Hunt points out on his blog, they are not only readily discoverable but are also in most cases meant to be shared.
That's true. But it should still be your choice when or if you decide to share your email with someone else. And in particular if you want it to be made public. In no scenario should a customer support representative be doing that for you, especially when you haven't submitted to any prior agreement explicitly authorizing them to do so.
I am disappointed that Dashlane exposed my email address on Twitter and took so long to fix the problem, but that's the full extent of it. I intend to keep using Dashlane, and in the worst case, I'll probably just need to keep an eye peeled for spam messages.
I only hope that this serves as a lesson to support representatives everywhere to take extra caution when handling customers' information. Email addresses might be easily tracked online, but at the end of the day, companies like Dashlane still have a responsibility to respect users' privacy and strive to keep them confidential.