Google support sent an email to over 1,600 customers using the To: field instead of Bcc:.
It’s been a long weekend for someone working on Google’s new domain name registrar.
It began when the company sent out domain name renewal reminder emails to customers that already had their domains set to auto renew. This email surely generated a number of support inquiries from confused customers.
But that mix up was small potatoes compared to what happened next. On Friday, the company sent an apology to customers, letting them know they didn’t need to take action because their domains were already set to automatically renew.
This email was sent to 1,664 people. How do I know? Take a look:
Yes, that’s what you think it is. The mass email was sent to 1,664 people (including me) using the To: line instead of Bcc:
Ouch.
This led to yet another apology email on Saturday afternoon. Thankfully, the apology-about-the-apology was sent correctly, without disclosing the email addresses of over 1,600 Google Domains customers.
A mistake that should not have happened for sure. Does this really matter though? So now 1600 people know that steve@somewhere has a domain on auto renew with Google Domains. While I’m quick to jump on security mistakes, upon first glance seems to only be a 2 out of 10 when it comes to security, but this is low on the issue list. Worst case I guess someone on that list then devises some sort of really well-crafted phishing attack. Which is probably unlikely to happen. My guess is that someone named “Amy” is the person that is going to be reprimanded over this.
If it did not also disclose the domain name I do not see the huge harm in any way. Mind you it should not have happened. Even google is human, strange humans but humans.
Google is known to screw up. Actually, it happens often. For example, they initially thought that the gtlds had some sort of potential. Clearly, they do not and looking back, that was much more serious and expensive than a bcc screwup. They completely wasted $25 million on the .app tld and other silly tlds such as .lol with absoluely no potential. Also, Google+ was a mistake for them. So was Google Helpouts. So were many of the projects in the Google Labs. In all cases, a complete waste of time, effort and money. The point is that Google screws up just like anyone else.