Help

Re: How can I report a security breach leaking PII?

1168 0
cancel
Showing results for 
Search instead for 
Did you mean: 
basilbowman
4 - Data Explorer
4 - Data Explorer

Hi y'all - I think I've found a VERY dumb breach in Airtable that's leaking PII.  I've sent in an email and reached out via the help system, but I suspect these forums might be better monitored - could an Airtable rep please find a way to contact me for proof?

 

If I can figure out a way to share an image w/o showing how the breach is happening, I'll update this thread and do so.

3 Replies 3
MaddieJ
Community Manager
Community Manager

Hey @basilbowman

Our Support team is reviewing your request and they'll reach out to you about this.

Best,
Maddie

Hey @basilbowman thanks again for reaching out about this issue. Our team added more context to this via a LinkedIn post, but I wanted to be sure and share it here for anyone following this thread on Community:

"We’ve confirmed that no information was improperly shared. When someone chooses to share a base, Airtable suggests the names and email addresses of other users they have previously collaborated with on other bases (this information is also available by visiting “Manage Access” on any base where you’re a collaborator). We acknowledge this can be surprising if someone is a collaborator on a base with a large number of people they’re unfamiliar with."

Thanks for being a part of the Community!

basilbowman
4 - Data Explorer
4 - Data Explorer

Yeah, I just figured it out - it's actually intended behavior, apparently?

I think by opening a non-official template, I actually became a collaborator on it, which then puts me on a list with everyone else that has ever opened that template...AND:

  • those people don't show up in your list of collaborators
  • they don't show up as if you had shared something with them 
  • there's no indication you've created an instance of that template - because you haven't

All that means there are no public bases to leave and nothing to show your information is accessible (or that you're giving consent to sharing your information with everyone else on the list). 

The only thing that might indicate this is a single tab select only visible a few levels back that you have then have to filter that looks for "files shared with you" - which has no indication that might be related to why you now have the name/email of ~4k other people (who presumably are in a similar boat).

What absurdly bad UX.