Last night, some customers who had preordered an Essential phone received an email asking for a copy of their driver’s license, ostensibly to verify their address in an attempt to prevent fraud.
Dozens of customers replied with their personal information, but those emails didn’t just go to Essential. Instead, they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information.
The incident is being reported as phishing by many outlets, because it looks and smells quite a lot like a phishing attempt: a weird request for personal information. After examining the email headers, it doesn’t look like this was an actual phishing attempt. It seems much more likely that this was a massive screwup, the result of a misconfigured customer support email list.
Here’s the email Essential originally sent out, via Cygnosity on Reddit and also forwarded to The Verge by another customer:
On Aug 29, 2017, at 9:23 PM, Customer Care firstname.lastname@example.org wrote:
Our order review team requires additional verifying information to complete the processing of your recent order.
This verification is performed to protect against unauthorized use of your payment information and similar to what is conducted for in-person purchases.
Please provide an alternative email and phone number to confirm this purchase..
We would like to request a picture of a photo ID (e.g. driver’s license, state ID, passport) clearly showing your photo, signature and address. NOTE: the address on the ID should match the billing address listed on your recent order.
We apologize for the inconvenience and appreciate your cooperation. Once verified, we look forward to shipping your order.
Essential Products Customer Care
We spoke with one of the customers who received the email, Professor Ron Schnell, who also happens to know quite a lot about digital forensics (he served as the CTO on Rand Paul’s presidential campaign).
Schnell’s analysis of the email headers is that these emails really did go back to Essential, not to a random scammer. Here’s how he characterized it on Reddit:
It is not a Phishing scam. It is a misconfiguration. The DKIDs check-out, and the replies are actually going to Essential (and then many other people). I've accumulated quite a collection of D/Ls, Passports, credit card statements, phone numbers, and e-mail addresses. This is unbelievable.
What appears to have happened is that Essential had a list of customers it needed to verify to prevent fraud, so it sent them an email requesting more information. But that email address was set up as a group email, which meant that replies sent to it went to everybody on that email list. It was a misconfigured customer support address on Zendesk, a customer service portal.
We don’t know how or why the email address was configured this way. It could have been a simple misconfiguration or potentially even a disgruntled employee, Schnell says. Whatever the original cause — a phishing scam, a stupid mistake, or something else — the end result that people sent emails with personal information that ended up going to total strangers.
Overnight, customers’ inboxes were filled with emails like this one:
As you can see, the email coming from a customer is identified as coming from email@example.com and it was sent out, CC’d, to many other customers. Many include attachments and links to driver’s license images.
Notably, Essential itself has said very little, beyond the following tweet, which doesn’t characterize the email as a scam and further notes that “we’ve taken steps to mitigate.” Those “steps” appear to include, at minimum, shutting down the email list that everybody was replying to.
We’re aware of & looking into a recent e-mail received by some customers. We’ve taken steps to mitigate & will update with more info soon.— Essential (@essential) August 30, 2017
Essential CEO Andy Rubin later apologized, stating that the incident is “humiliating” and that he holds himself “personally responsible for the error.” Rubin also noted that Essential will offer one year of LifeLock to the affected patrons.
It’s a huge screwup from a company that likes to characterize itself as scrappy and small. But scrappy is one thing, being sloppy with customers’ personal information is another thing entirely.
Other customers, meanwhile, are still awaiting shipment of their preordered phones — Essential had said they were shipping, but it is taking quite a bit longer for orders to arrive than anybody expected.
Update August 30th, 7:54PM ET: This article has been updated to include Essential’s apology for the error.