cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Del
Newcomer III

Anyone else seeing "Data Removal Request" mailshots?

Hi there ... I'm looking for your thoughts & wisdom on this.

 

In the last two weeks, I've seen a bunch of emails with the same Subject and Body Text .. only the email addresses change.

 

The Subject is always "Data Removal Request"

The Body Text is always

 

"I hereby withdraw my consent for you to collect, process or store any personal data related to name@emailprovider.com

 

I request that you delete any and all data related to, and belonging to name@emailprovider.com that your company stores, pursuant to my rights under Article 17 GDPR.

 

Thank you!"

 

These requests have covered emails from a variety of free email providers, gmail.com, gmail.fr, hotmail.com ... which makes me think there is a system or service out there generating these emails on behalf of individuals ... possibly for a nominal fee 🙂

 

Of the 20 or so emails we've seen, only a handful of the emails are actually customers / users of our service ... which makes me think the system or service sending these emails is generating mailshots and firing them out to a range of service providers like my company

 

Anyone else seen this?

 

I'm going to work through the email headers to see if there are any clues ... but I thought it was worth posting here in case anyone else is in the same position as me 🙂

 

 

42 Replies
Baechle
Advocate I

Del,

 

This may be an awkward form of Denial Of Service attack.  Trying to get services to delete accounts for people who withdraw their authorization?

 

Sincerely,

 

Eric B.

craiglurey
Viewer

The emails appear legit, the users are replying with positive confirmation of account deletion.  I have not found out which product or service is generating these emails yet.

 

craiglurey
Viewer

I found the service that is generating these emails:

 

https://www.deseat.me/

 

 

someone
Newcomer I

It is the same one, for all messages, and none of them are actual users of our services. I received also legitimate requests, but with different wording.

Del
Newcomer III

@craiglurey

 

Excellent!

 

How did you find it? I was searching for ages, didn't get close to it.

Del
Newcomer III

I went through the motions of using this deseat.me service.

 

All I have to do is give this third party my login credentials for gmail ... what could possibly go wrong 😉

 

Don't get me wrong, I think it's a pretty good idea, and I do like the way it finds likely candidates in your email history ... but think about a service that "protects your privacy" ... so long as you give it your credentials first.

 

It also promotes another service, Ctrlpanel,  which will manage strong & unique passwords, for sites & apps that you want to keep using.

MarkoTanaskovic
Viewer II

On the password, well they claim to be using Oauth (haven't tested yet, this is from their documentation),so they would not see the password itself.

 

We would authenticate and authorize against our mail provider, to allow this service access to the mailbox, which they then scan to sift out which services we might be using, and send the notifications. Also the question what would we exactly authorize (at least view full data, and act on our behalf ? ), and what happens with the permissions afterwards. Does the service de-authorize itself, once done, or do we need to do this ? 

 

Apart from authorizing access, this scanning part could yield other data about us, to that service.

 

On a similar topic, this is automation on a scale, and I wonder how equipped ( on the process automation side ) are the companies to deal with potential amount of data. This could be a sort of "DDoS" on backend processes.

Del
Newcomer III

I tried it earlier today, after granting the service access to my gmail account, it found about 25 services / sites / apps ... and invited me to accept, delete (add to queue for delete) or mark invalid.

 

The google account permissions persisted after the service had run ... but I did have the option to remove the access from the "Apps with access to your account" pane on myaccount.google.com/permissions

 

 

MarkoTanaskovic
Viewer II

Thank you for confirming.

 

The questions that arise in my mind are the following :

 

1. How many average users are aware of this (we do not count) - that permissions remain, and you need to remove them manually ?

2. Depending on the acceptable usage policy, quite a lot of people use corporate email also for private purposes. If such a email service is cloud hosted, someone might permit access (to a 3rd party), to corporate data.

 

To the second point, think of all the apps that have the "Sign in with..." option, this is basically the same...

 

 

someone
Newcomer I

The number of requests started to increase yesterday, still none of them valid. I wonder whether I can ignore these, as there is no data for these customers kept in the database.