Security Snafu: Elance Sends Private Messages All Over The Place

Second time this Summer we write about Elance, a service that allows for companies and individuals to hire and pay independent professionals and contractors online, and once again it’s not good news but another security issue. A registered user of the service, Salma Jafri, tells us she has been receiving dozens of private messages that were erroneously sent to her account, on occasion even containing confidential information and sensitive data such as login details for Elance accounts and third-party servers.

The company has been alerted to the problem by members since the security breach became apparent a couple of hours ago, but Elance has apparently not dealt with it yet nor responded to any inquiries, says Jafri and numerous others in the website forums. We’ve contacted the Mountain View company as well but haven’t heard back so far.

Something’s seriously wrong though. Members are complaining in the forums (screenshots below) that they’ve received over 50 e-mails so far that were not meant for them. Several of them reportedly contain sensitive data from clients, like login details and private information about their accounts and activities.

Elance members reading this: you might want to verify what you’ve sent your clients the last few days and change any login credentials you’ve passed on. Who knows who else has been reading along.

(Thanks for alerting us, Salma)

Elance’s CMO Brad Porteus, has issued a statement confirming and apologizing for the breach in security:

Here is what we know so far about the Daily Summary emails that many have reported receiving earlier today.

Once a day, Elance sends an email (to those who elect to receive them) that summarizes the previous 5 messages posted in the digital Workrooms that facilitate collaboration between service providers and their clients. Such communications are typically messages that occur either in real-time between parties or are left in a bulletin board format.

Yesterday, one of our engineers made a change to the script that initiates this nightly process. The changes were tested, but the errors were not identified. As a result, last night’s batch of such Daily Summary emails were initiated at 1:30am Pacific time, and unfortunately an unknown number were erroneously sent to parties that were neither the provider nor the client. The error was discovered at 2:30am and the process was halted by 2:50am.

The sending of daily digest emails has been stopped until such time that we can be assured that this error has been fixed.

This mistake happened due to human error on our side. It is inexcusable and we are sorry for it.

Our immediate priorities are to focus on understanding the impact these messages have had (how many were sent and to whom), and then to proactively communicate as appropriate to all parties who have been affected. This will take some time, so please be patient while we figure everything out.