IPInfo.io: SOLD our Email or it was a BREACH ?

IPinfo.io is my go-to site for quick IP details and I have been using it since they launched for their simplicity and accuracy but this blog post shows how our personal data was misused.

If you ever made an account on IPinfo.io you might have noticed an email invitation from dock.io ([email protected]) with a title right-out-of-marketing-books “dock.io invitation expires in 3 days” (Invitation still works after 2 weeks).

Dock.io invitation landed on 2nd May, I knew right off I had to write about this on my blog because dock.io has used my email address which is associated with “ipinfo.io” without my permission.

Dock.io is a decentralized data exchange protocol that lets people connect their profiles, reputations and experiences across the web with privacy and security.

How I know Dock.io used IPinfo.io Email

Since Gmail introduced the “Email Tag” (email+SOMETHING@gmail.com) feature I extensively use that for every website I signup. IPinfo.io was no exception, so I signed up using my email with a dedicated tag for IPinfo (google+ipinfo@hackology.co) . This is my way of monitoring which service misuses our data while sharing our information with other services.

The invitation email I got from dock.io had the ipinfo tag, selling our emails or just giving it away I wonder ?

Nick Sherron – Who are You / How you got my IPinfo Email ?

On the first glance I thought its a standard spam invitation, but as I always use a different tag for every online service I signup it gets easy for me to pin point the source of spam. In this case I did point out the source which happened to be ipinfo, but I had to double check if I knew any “Nick Sherron” and he kind of “actually” invited me using the tag “ipinfo” , less chances but its always good to verify eh.

It didn’t take me long to find out that Nick Sherron is VP of Sales at IPInfo.io and I was not connected to him in anyway (i “might” accept his dock.io invitation after posting this). That is another coincidence ?

• IPinfo.io tag was used in dock.io invitation email
• Dock.io invitation was sent by Nick who is VP of Sales at IPinfo.io

This makes me wonder, was this done with consent of the complete team or anyone can go about and download email addresses of website users ?. When that can be done what is stopping them to download every other detail associated with us ?

Dock.io and Nick Sherron

Why would someone working for a reputable online service go through the trouble of scrapping our email address from ipinfo.io and send out invites ?

Initial thought was that Nick is connected with dock.io but after going through dock.io team I couldn’t find any link between the both.

FUN BOTH : Dock.IO founder name is also “Nick” , “NICK Macario” – and that’s a coincidence in reality.

To find out what made Nick Sherron to misuse user data I went on to register with dock.io , as I expected : they offer an invite friend and earn cryptocurrency on their platform.

So Mr Nick Sherron took out all the users of ipinfo and sent them an email just to earn some dock crypto.

I would request Dock.IO to look into this matter ( Nick Sherron username on dock.io is “nicksherron” ) and IPinfo.io to let us know how our email addresses were used by VP of Sales.

What IPinfo.io has to Say

After publishing this blog post, I tweeted the same to ipinfo, dock and Nick. I thought it would be better that we also see their part of the story.

@ipinfoio : User data is safe on your website ?@dock_io : Users who invite by stealing email lists is against your ToS ?
Read : @sherron_nick (vp of sales at ipinfo) uses emails of registered users at ipinfo just so he could earn some #cryptocurrencyhttps://t.co/NEa0FwNLAb

— Hackology (@Hackology) May 18, 2018

First reply came from @ipinfoio where they cleared that No Breach or Leak happened nor they Sold User Data. 

They explained it further that somehow “some” emails of IPinfo users got synced with “Nick” account within the CMS of IPinfo.

Further Nick replied and stated that he has “Deleted” the emails and it was stupid on his part.

I appreciate IPinfo being open and stating what happened, but it makes me wonder:

• How Nick could “download” “some” emails and then import those into his email contact list
• A bulk emailer was used to send out the invitation of dock.io , which means a “deliberate import of emails” was done to send out invites
• Nick states that they do not use that CRM anymore. Was this email export the reason of that ? or its something we are missing?
• I would appreciate over period of time a detailed explanation by IPinfo, to put everything to rest and make things clear