How Indiegogo deal with E-Mail Adresses
On 14th of September, I received an E-Mail with the Sender netflix@netflix.com asking to Verify my Account Information to be able to continue use Netflix.
This E-Mail was sent to indiegogo@catchall and was not related to my Indiegogo Account. The RFC822 Header reveals an Envelope from the Domain mncplaymedia.com.
I contacted Indiegogo regarding that Information was shared with Third Parties or that the Indiegogo Database is maybe compromised.
The respond from the Indiegogo Trust & User Operations Team:
Thank you for sharing this information with us. We have forwarded your message to our security team, who will look into this issue and take action as needed. We will be in touch if we need further information to investigate.
For the protection of our customers, Indiegogo generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available.
Of course, Indiegogo has a special situation. In the case of backed projects, your information will be shared with the Crowdfunded Project. Indiegogo did not give the User the Option, that the E-Mail-Address can be adjusted before it will be sent to the Backer. That is unfortunate because especially when it comes to Startups it can be assumed, that there IT Infrastructure is not the best. Some Startups allow ask for the E-Mail Address for the Backer and allow them to give another email address than the one, that is used on Indiegogo.
It would be easy for Indiegogo to enforce this, ask the user for every single project if he likes to share the users Indiegogo-E-Mail-Address or share another one. So long that is not an option, Indiegogo has to take some of the responsibility as the platform that shares information with Third Parties. Especially when it comes to Article 33 of the GDPR Guidelines, Indiegogo brings themselves in a bad position. On the one hand, there is an obligation to report any data breach within 72 hours, on the other hand, Indiegogo can not be sure if the Data breach happened on their end or on the side of the StartUp, when user use CatchAll-Address.