Hello,
For as long as we have been making software for community builders we, at SocialEngine, have always made client security a top priority. We do our best, not only to build a platform safe for your communities but also to defend your private data. We believe data privacy is of the utmost importance and for this reason, we are notifying clients and experts of an attempted data breach. We want to state very clearly and emphatically that the breach was unsuccessful and no data was retrieved. However, as we have a specific policy for attempted access to restricted areas, we’ve had to take action to protect our data and enforce our policies.
Recently, we became aware of several attempts to access client and expert data via specific queries. We were able to block every attempt made and our investigation led us to the origination of the attempted breach. We took swift action to prevent any further attempts.
Our investigation has revealed that this attempted breach was originated by the third party expert SocialEngineAddOns and during the investigation and recovery period, we temporarily suspended their account until Nov. 3. In our discussions with their parent company, BigStep Technologies, they also tracked down from where the issue originated and have taken action on their end to prevent any further attempts. We are happy to say we have been able to work together to resolve this.
We opted for a temporary suspension over the termination because they conducted their own investigation and had no knowledge their developer had attempted a breach, they had never attempted such action before, and they’ve made assurances it will never happen again. Also, because no data was retrieved and all attempts were unsuccessful, there have been no damages to our clients, experts or our company.
For clients who purchased SocialEngineAddOn products from our store, please contact SocialEngineAddOns directly at their website for plugin downloads until the suspension is lifted. Please feel free to contact our support if you are unable to show proof of purchase and we’ll do whatever we can from our end to get you the info.
We would like to end this message by thanking each and every SocialEngine client and the third-party experts who work tirelessly and in an ethical manner to provide top notch software which truly makes this ecosystem great. We look forward to continuing to grow the platform and the ecosystem with your help!
Respectfully, The SocialEngine Team
We appreciate the SocialEngine Team for patiently working with us on this.
SocialEngineAddOns team has also published a blog post on our SocialEngineAddOns.com website to provide you more details on this 'Incidents of API Calls to SocialEngine.com Website's Backend'.
You can refer to this blog post: https://www.socialengineaddons.com/content/incidents-of-api-calls-to-socialengine-website-backend
We thank again to Donna and SocialEngine team.
SocialEngineAddOns Team
Whilst im very happy these attempts were blocked this is the second time in as many months SEAO has been associated with a data breach.
Referring back to a conversation I had with Donna and SEAO through emails of one of their developers inviting me to join LinkedIn. At the time I thought this was an invite to connect but after an investigation on my side my only LinkedIn account uses my work email and not my personal email and this invite was directed towards my personal email.
I'd question the security of the data currently held by SEAO as this second association brings questions for me.
PeppaPigKilla said:
Whilst im very happy these attempts were blocked this is the second time in as many months SEAO has been associated with a data breach.
Referring back to a conversation I had with Donna and SEAO through emails of one of their developers inviting me to join LinkedIn. At the time I thought this was an invite to connect but after an investigation on my side my only LinkedIn account uses my work email and not my personal email and this invite was directed towards my personal email.
I'd question the security of the data currently held by SEAO as this second association brings questions for me.
Did they ever resolve how they got your business LinkedIn account?
Hi PeppaPigKilla,
We received your email ID from our own customer database, and not through any illegitimate means:
You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.
We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.
Thanks!
PeppaPigKilla said:
Also please remove my email on your post. I know it’s sort of censored but it shouldn’t be there at all.
I removed the email. Sorry I didn't see it before, was very busy on upcoming things.
Well the way I see it, is if there company has a person breaching sites I use often, have accounts on, I Fear I can not trust them, they deleted my account and refused to refund me for plugins I will no longer use. Im sorry Socialengineaddons but it only take one bad apple to spoil an entire bucket.
AJFortin said:
Well the way I see it, is if there company has a person breaching sites I use often, have accounts on, I Fear I can not trust them, they deleted my account and refused to refund me for plugins I will no longer use. Im sorry Socialengineaddons but it only take one bad apple to spoil an entire bucket.
It can be seen that you have purchased few of our free plugins (Advanced Birthdays Plugin, Email Verification Reminder Plugin, Professional Likes Plugin, Letter Avatar of Member Name Plugin,Custom & Short Profile) and only one paid plugin which is Ultimate SEO / Sitemaps Plugin from official SocialEngine website. You did not contact our team after the purchase which is why there was no account created for you.
If you face problem(s) related to any of our plugins, you can contact us directly at sales@socialapps.tech and we will be more than happy to assist you.
Since the plugin was not purchased from our official website (https://socialapps.tech/) so refund cannot be processed from our end Also, SocialEngine has a no refund policy which you can read here: socialengine.com/marketplace/terms-and-privacy.
Please feel free to reach out to us at sales@socialapps.tech for any further assistance.
Best Regards,
SocialApps.tech Team
Sorry, the link above was for experts. Here's the store policy for clients, https://www.socialengine.com/policies/1736705/store-terms-for-customers . We do have a refund policy but there are terms to meet for that and it sounds like the purchase wouldn't qualify as it has to meet these:
SocialApps said:
Hi PeppaPigKilla,
We received your email ID from our own customer database, and not through any illegitimate means:
You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.
We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.Thanks!
Your employee is trying to add me again on linkedIn
PeppaPigKilla said:
SocialApps said:
Hi PeppaPigKilla,
We received your email ID from our own customer database, and not through any illegitimate means:
You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.
We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.Thanks!
Your employee is trying to add me again on linkedIn
Have you formally requested for them to remove your email from their system? If you are in Europe, California or Australia there are requirements for removal upon request.
@ SEAO / SocialApps.Tech please handle this.
PeppaPigKilla said:
SocialApps said:
Hi PeppaPigKilla,
We received your email ID from our own customer database, and not through any illegitimate means:
You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.
We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.Thanks!
Your employee is trying to add me again on linkedIn
Hi,
We've sent you an email regarding your concern of removing the Email ID.
Please feel free to reach out in case of any other concern.
Regards,
SocialApps.tech Team
SocialApps said:
PeppaPigKilla said:
SocialApps said:
Hi PeppaPigKilla,
We received your email ID from our own customer database, and not through any illegitimate means:
You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.
We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.Thanks!
Your employee is trying to add me again on linkedIn
Hi,
We've sent you an email regarding your concern of removing the Email ID.
Please feel free to reach out in case of any other concern.
Regards,
SocialApps.tech Team
Removing the email ID doesn't help anything, your employee or EX employee has my data now.
Also if you remove my email and other data from your servers and backups how do i then get my purchases from you ?
PeppaPigKilla said:
SocialApps said:
PeppaPigKilla said:
SocialApps said:
Hi PeppaPigKilla,
We received your email ID from our own customer database, and not through any illegitimate means:
You have an account on SocialEngineAddOns.com with your email ID: **email removed by request ** , and we used that email ID to send you an invite.
We're sorry if an invite from us caused you any inconvenience. Please drop us an email in case you need to discuss any concerns.Thanks!
Your employee is trying to add me again on linkedIn
Hi,
We've sent you an email regarding your concern of removing the Email ID.
Please feel free to reach out in case of any other concern.
Regards,
SocialApps.tech Team
Removing the email ID doesn't help anything, your employee or EX employee has my data now.
Also if you remove my email and other data from your servers and backups how do i then get my purchases from you ?
Sending a LinkedIn invite does not allow access to any kind of data of the invited user.
Also, you can change your Email ID for the registered account with SocialApps.tech and you won't lose any data related to purchase, backup etc. This will just be a normal change of Email address of your account.
Regards,
@SocialApps.Tech , at this point, it would be best if you have something in your site that asks clients if they would like to connect on LinkedIn and then only send invites to those that express interest. I would strongly suggest you immediately stop the invites on LinkedIn for clients such as Peppa who have not expressly agreed to receive external invites like that. If it is in your terms that by joining your site a client is agreeing to a LinkedIn contact, you really should still have an opt out for that due to so many new privacy laws. California has a very harsh one now, Australia has one with more provisions than GDPR, then there's GDPR and the general privacy laws of the US. Too many to keep up with these days. We, SocialEngine, don't send out any social media contacts to our mailing list due to such privacy concerns. If a client wants to connect, they know where to find us (footer links show) and can initiate the contact there.
PeppaPigKilla said:
You seem to be missing the point here. I do not trust your company to securely hold my data as it’s already been used for something I didn’t agree too and you haven’t really done anything about it. Your employee or exployee has access to all my data regardless of LinkedIn invitation as that’s how it got it, through your company. I’m going to have to seek advice somewhere around this as you don’t seem to see the severity in this breach.
We do not have any of your data except the Email ID which you yourself provided while creating your account at SocialApps.tech. We also have deleted this Email ID from all our records except from your account with us which we cannot do without your permission.
Thus, you can change Email ID associated with your account and that will not affect any plugin file in your account.
Donna said:
@SocialApps.Tech , at this point, it would be best if you have something in your site that asks clients if they would like to connect on LinkedIn and then only send invites to those that express interest. I would strongly suggest you immediately stop the invites on LinkedIn for clients such as Peppa who have not expressly agreed to receive external invites like that. If it is in your terms that by joining your site a client is agreeing to a LinkedIn contact, you really should still have an opt out for that due to so many new privacy laws. California has a very harsh one now, Australia has one with more provisions than GDPR, then there's GDPR and the general privacy laws of the US. Too many to keep up with these days. We, SocialEngine, don't send out any social media contacts to our mailing list due to such privacy concerns. If a client wants to connect, they know where to find us (footer links show) and can initiate the contact there.
Thanks for your suggestion, Donna. We will take this into consideration.