Attempted Data Breach Information

    • Moderator
    • 6923 posts
    October 22, 2019 5:29 AM EDT

    Hello,

    For as long as we have been making software for community builders we, at SocialEngine, have always made client security a top priority.  We do our best, not only to build a platform safe for your communities but also to defend your private data. We believe data privacy is of the utmost importance and for this reason, we are notifying clients and experts of an attempted data breach. We want to state very clearly and emphatically that the breach was unsuccessful and no data was retrieved. However, as we have a specific policy for attempted access to restricted areas, we’ve had to take action to protect our data and enforce our policies.

    Recently, we became aware of several attempts to access client and expert data via specific queries. We were able to block every attempt made and our investigation led us to the origination of the attempted breach. We took swift action to prevent any further attempts.

    Our investigation has revealed that this attempted breach was originated by the third party expert SocialEngineAddOns and during the investigation and recovery period, we temporarily suspended their account until Nov. 3. In our discussions with their parent company, BigStep Technologies, they also tracked down from where the issue originated and have taken action on their end to prevent any further attempts. We are happy to say we have been able to work together to resolve this. 

    We opted for a temporary suspension over the termination because they conducted their own investigation and had no knowledge their developer had attempted a breach, they had never attempted such action before, and they’ve made assurances it will never happen again. Also, because no data was retrieved and all attempts were unsuccessful, there have been no damages to our clients, experts or our company.

    For clients who purchased SocialEngineAddOn products from our store, please contact SocialEngineAddOns directly at their website for plugin downloads until the suspension is lifted. Please feel free to contact our support if you are unable to show proof of purchase and we’ll do whatever we can from our end to get you the info.

    We would like to end this message by thanking each and every SocialEngine client and the third-party experts who work tirelessly and in an ethical manner to provide top notch software which truly makes this ecosystem great. We look forward to continuing to grow the platform and the ecosystem with your help!

    Respectfully, The SocialEngine Team

    • 348 posts
    October 23, 2019 2:16 PM EDT

    We appreciate the SocialEngine Team for patiently working with us on this.

    SocialEngineAddOns team has also published a blog post on our SocialEngineAddOns.com website to provide you more details on this 'Incidents of API Calls to SocialEngine.com Website's Backend'.

    You can refer to this blog post: https://www.socialengineaddons.com/content/incidents-of-api-calls-to-socialengine-website-backend 

    We thank again to Donna and SocialEngine team. 

    SocialEngineAddOns Team

    • 303 posts
    October 28, 2019 6:00 PM EDT

    Whilst im very happy these attempts were blocked this is the second time in as many months SEAO has been associated with a data breach. 

     

    Referring back to a conversation I had with Donna and SEAO through emails of one of their developers inviting me to join LinkedIn. At the time I thought this was an invite to connect but after an investigation on my side my only LinkedIn account uses my work email and not my personal email and this invite was directed towards my personal email. 

     

    I'd question the security of the data currently held by SEAO as this second association brings questions for me. 

    • Moderator
    • 6923 posts
    October 30, 2019 5:54 AM EDT
    PeppaPigKilla said:

    Whilst im very happy these attempts were blocked this is the second time in as many months SEAO has been associated with a data breach. 

    Referring back to a conversation I had with Donna and SEAO through emails of one of their developers inviting me to join LinkedIn. At the time I thought this was an invite to connect but after an investigation on my side my only LinkedIn account uses my work email and not my personal email and this invite was directed towards my personal email. 

    I'd question the security of the data currently held by SEAO as this second association brings questions for me. 

    Did they ever resolve how they got your business LinkedIn account?

    • 303 posts
    October 30, 2019 6:02 AM EDT
    At first it was denied and insinuated I contacted them for support through LinkedIn. It wasn’t until I showed screen shots of the invite to join LinkedIn by their employee that they accepted responsibility but all was said is it won’t happen again.
    • 348 posts
    October 30, 2019 8:44 AM EDT

    Hi PeppaPigKilla,

    We received your email ID from our own customer database, and not through any illegitimate means:

    You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.

    We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.

    Thanks!


    This post was edited by socialenginestaff at October 30, 2019 1:39 PM EDT
    • 303 posts
    October 30, 2019 8:58 AM EDT
    I’ve discussed my concerns. Your staff member is using clients emails to try and connect on LinkedIn or invite your clients to LinkedIn.

    Also please remove my email on your post. I know it’s sort of censored but it shouldn’t be there at all.
    • Moderator
    • 6923 posts
    October 30, 2019 1:40 PM EDT
    PeppaPigKilla said:
    Also please remove my email on your post. I know it’s sort of censored but it shouldn’t be there at all.

    I removed the email. Sorry I didn't see it before, was very busy on upcoming things.

    • 24 posts
    January 6, 2020 1:24 AM EST

    Well the way I see it, is if there company has a person breaching sites I use often, have accounts on, I Fear I can not trust them, they deleted my account and refused to refund me for plugins I will no longer use. Im sorry Socialengineaddons but it only take one bad apple to spoil an entire bucket. 

    • 348 posts
    January 10, 2020 8:20 AM EST
    AJFortin said:

    Well the way I see it, is if there company has a person breaching sites I use often, have accounts on, I Fear I can not trust them, they deleted my account and refused to refund me for plugins I will no longer use. Im sorry Socialengineaddons but it only take one bad apple to spoil an entire bucket. 

    It can be seen that you have purchased few of our free plugins (Advanced Birthdays Plugin, Email Verification Reminder Plugin, Professional Likes Plugin, Letter Avatar of Member Name Plugin,Custom & Short Profile) and only one paid plugin which is Ultimate SEO / Sitemaps Plugin from official SocialEngine website. You did not contact our team after the purchase which is why there was no account created for you.

    If you face problem(s) related to any of our plugins, you can contact us directly at sales@socialapps.tech and we will be more than happy to assist you.

    Since the plugin was not purchased from our official website (https://socialapps.tech/) so refund cannot be processed from our end Also, SocialEngine has a no refund policy which you can read here: socialengine.com/marketplace/terms-and-privacy.

    Please feel free to reach out to us at sales@socialapps.tech for any further assistance.

    Best Regards, 

    SocialApps.tech Team


    This post was edited by SocialEngineAddOns at January 10, 2020 8:21 AM EST
    • Moderator
    • 6923 posts
    January 17, 2020 4:29 AM EST

    Sorry, the link above was for experts. Here's the store policy for clients, https://www.socialengine.com/policies/1736705/store-terms-for-customers  . We do have a refund policy but there are terms to meet for that and it sounds like the purchase wouldn't qualify as it has to meet these:

    • Client requests refund within 15 days of purchase per the refund terms.
    • Refund is requested due to product failure, defect or bug and third party expert is unable to resolve the issue.
    • Refunds will not be granted due to lack of customization assistance; lack of features (if features wanted are NOT in the description of the product); for products that don’t work with other third party products; for requests beyond the 15 day period; for products not purchased from the SocialEngine store.

    This post was edited by socialenginestaff at January 17, 2020 4:30 AM EST
    • 303 posts
    January 21, 2020 12:02 PM EST
    SocialApps said:

    Hi PeppaPigKilla,

    We received your email ID from our own customer database, and not through any illegitimate means:

    You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.

    We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.

    Thanks!

     

     

    Your employee is trying to add me again on linkedIn

    • Moderator
    • 6923 posts
    January 22, 2020 5:20 AM EST
    PeppaPigKilla said:
    SocialApps said:

    Hi PeppaPigKilla,

    We received your email ID from our own customer database, and not through any illegitimate means:

    You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.

    We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.

    Thanks!

     

     

    Your employee is trying to add me again on linkedIn

    Have you formally requested for them to remove your email from their system? If you are in Europe, California or Australia there are requirements for removal upon request. 

    @ SEAO / SocialApps.Tech please handle this.

    • 348 posts
    January 22, 2020 6:43 AM EST
    PeppaPigKilla said:
    SocialApps said:

    Hi PeppaPigKilla,

    We received your email ID from our own customer database, and not through any illegitimate means:

    You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.

    We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.

    Thanks!

     

     

    Your employee is trying to add me again on linkedIn

     

    Hi,

    We've sent you an email regarding your concern of removing the Email ID.

    Please feel free to reach out in case of any other concern.

    Regards, 

    SocialApps.tech Team

    • 303 posts
    January 25, 2020 12:15 PM EST
    SocialApps said:
    PeppaPigKilla said:
    SocialApps said:

    Hi PeppaPigKilla,

    We received your email ID from our own customer database, and not through any illegitimate means:

    You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.

    We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.

    Thanks!

     

     

    Your employee is trying to add me again on linkedIn

     

    Hi,

    We've sent you an email regarding your concern of removing the Email ID.

    Please feel free to reach out in case of any other concern.

    Regards, 

    SocialApps.tech Team

     

     

    Removing the email ID doesn't help anything, your employee or EX employee has my data now. 

     

    Also if you remove my email and other data from your servers and backups how do i then get my purchases from you ?

    • 348 posts
    January 27, 2020 6:31 AM EST
    PeppaPigKilla said:
    SocialApps said:
    PeppaPigKilla said:
    SocialApps said:

    Hi PeppaPigKilla,

    We received your email ID from our own customer database, and not through any illegitimate means:

    You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.

    We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.

    Thanks!

     

     

    Your employee is trying to add me again on linkedIn

     

    Hi,

    We've sent you an email regarding your concern of removing the Email ID.

    Please feel free to reach out in case of any other concern.

    Regards, 

    SocialApps.tech Team

     

     

    Removing the email ID doesn't help anything, your employee or EX employee has my data now. 

     

    Also if you remove my email and other data from your servers and backups how do i then get my purchases from you ?

     

    Sending a LinkedIn invite does not allow access to any kind of data of the invited user.

    Also, you can change your Email ID for the registered account with SocialApps.tech and you won't lose any data related to purchase, backup etc. This will just be a normal change of Email address of your account. 

    Regards, 

    SocialApps.tech Team


    This post was edited by SocialEngineAddOns at January 27, 2020 6:32 AM EST
    • 303 posts
    January 27, 2020 6:37 AM EST
    You seem to be missing the point here.

    I do not trust your company to securely hold my data as it’s already been used for something I didn’t agree too and you haven’t really done anything about it.

    Your employee or exployee has access to all my data regardless of LinkedIn invitation as that’s how it got it, through your company.

    I’m going to have to seek advice somewhere around this as you don’t seem to see the severity in this breach.
    • Moderator
    • 6923 posts
    January 27, 2020 7:13 AM EST

    @SocialApps.Tech , at this point, it would be best if you have something in your site that asks clients if they would like to connect on LinkedIn and then only send invites to those that express interest. I would strongly suggest you immediately stop the invites on LinkedIn for clients such as Peppa who have not expressly agreed to receive external invites like that. If it is in your terms that by joining your site a client is agreeing to a LinkedIn contact, you really should still have an opt out for that due to so many new privacy laws. California has a very harsh one now, Australia has one with more provisions than GDPR, then there's GDPR and the general privacy laws of the US. Too many to keep up with these days. We, SocialEngine, don't send out any social media contacts to our mailing list due to such privacy concerns. If a client wants to connect, they know where to find us (footer links show) and can initiate the contact there.

    • 348 posts
    January 28, 2020 5:39 AM EST
    PeppaPigKilla said:
    You seem to be missing the point here. I do not trust your company to securely hold my data as it’s already been used for something I didn’t agree too and you haven’t really done anything about it. Your employee or exployee has access to all my data regardless of LinkedIn invitation as that’s how it got it, through your company. I’m going to have to seek advice somewhere around this as you don’t seem to see the severity in this breach.

    We do not have any of your data except the Email ID which you yourself provided while creating your account at SocialApps.tech. We also have deleted this Email ID from all our records except from your account with us which we cannot do without your permission.

    Thus, you can change Email ID associated with your account and that will not affect any plugin file in your account.

    • 348 posts
    January 28, 2020 5:39 AM EST
    Donna said:

    @SocialApps.Tech , at this point, it would be best if you have something in your site that asks clients if they would like to connect on LinkedIn and then only send invites to those that express interest. I would strongly suggest you immediately stop the invites on LinkedIn for clients such as Peppa who have not expressly agreed to receive external invites like that. If it is in your terms that by joining your site a client is agreeing to a LinkedIn contact, you really should still have an opt out for that due to so many new privacy laws. California has a very harsh one now, Australia has one with more provisions than GDPR, then there's GDPR and the general privacy laws of the US. Too many to keep up with these days. We, SocialEngine, don't send out any social media contacts to our mailing list due to such privacy concerns. If a client wants to connect, they know where to find us (footer links show) and can initiate the contact there.

    Thanks for your suggestion, Donna. We will take this into consideration.

     

    • 303 posts
    January 28, 2020 6:17 AM EST
    The issue I have is that I cannot trust you to keep it safe.

    The consequence of this for myself it to request you delete all records of myself and because of that I will loose access to all the scripts I have purchased from yourself.