data breach

Ad-Blocker Ghostery reveals hundreds of User Email Addresses

Ad-blocking tool Ghostery suffered from a pretty impressive, self-inflicted screwup Friday when the privacy-minded company accidentally CCed hundreds of its users in an email, revealing their addresses to all recipients.


What happened?

Fittingly, the inadvertent data exposure came in the form of an email updating Ghostery users about the company’s data collection policies. The ad blocker was sending out the message to affirm its commitment to user privacy as the European Union’s digital privacy law, known as the General Data Protection Regulation (GDPR), goes into effect.

The email arrived in inboxes with the subject line “Happy GDPR Day — We’ve got you covered!” In the body of the email, the company informed users, “We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”

What Ghostery likely didn’t intend to do was immediately expose all of its users. CCed to the email were hundreds of other recipients, their emails all readily viewable to others receiving the message. Ghostery users took to social media to complain about the exposure.

Gizmodo spoke to three Ghostery users who received the GDPR email from the company and had their emails revealed in the CC line of the message. All three confirmed that they had yet to receive any follow up from Ghostery regarding the situation. Gizmodo also reached out to Ghostery but did not receive a reply.

Amazingly, all three users said no one had replied to the email yet, sparing the hundreds of other recipients from being caught in an endless reply apocalypse. “In one of the most stunning displays of humanity I have ever seen, no one has yet reply-all’s with a snarky comment,” Twitter user Linguica said in a DM.

Deleted Tweet

Cliqz-owned Ghostery just leaked user email addresses in the process of notifying them about GDPR changes.

They even tried to hide certain statements. The original tweet was deleted.


  • Sells your data (check)
  • Can’t handle CC (check)
  • Is more inefficient than AdBlock, AdGuard or uBlock (check)
  • Tried to hide some replies (check)
  • Ghostery still has the leakage (check)
  • That should be the end of a privacy-focused company (possible)

What I suggest?

Go to, sign in and press Cancel Account. Install an alternative or buy a Pi-Hole.

The good thing about GDPR I see is that people start questioning several things which starts a dialog or in this case reveals some privacy-related problems.