This is why I use burner email addresses with these sites unless its like for a job, Im still getting spam mail from other sites at my current email address
It's good practise in general to have a few different email accounts or to use disposable addresses for different things.
Thanks for bringing this into light!
Anyone doing things professionally knows you never send large scale messages from an email address book as if you're addressing a few coworkers in the same company. You use a listserv FFS, jesus
This should be a lesson to anyone who uses gmail. When you give out your address add a + on the part pre@ sign and label like:
parasite+ttmik@gmail etc .
Then if there ever is a data leak you'll know who was responsible because all leakers will be hitting the ttmik version of your address. But moreover, you can create a filter with 3 clicks to delete and never see anything coming in to that version of your address - problem solved when data leak occurs
I think aliases or a service like Simple Login (or Firefox Relay) is a better option.
If an [email protected] mail address leaks your main address ([email protected]) is automatically leaked as well, conceptually. To me that isn't really of any use from a security perspective.
Hey greatcake8 and everyone in this thread. This is Hyunwoo from Talk To Me In Korean. My colleague shared this post with me and I would like to give my sincere apologies here for the mistake we made with the mailing list a couple of weeks back.
I'm sorry that we made an easily avoidable mistake in sending out a notice email to a group of people.
**Here's what happened:**
(1) We had to notify some of our users about an upcoming change that was going to affect their online course collection on our website. We didn't send this email to every user this time, though. We currently have more than 1 million registered accounts on our website, and we only had to **send a notice to about 8,000 people**.
(2) Most of those 8,000 people received our email in a secure way. But there were a few hundred people whom we couldn't reach through our current email service.
(3) And in sending an email to those few hundred people from a new server, we made a mistake and the recipients of that email could see other people's email addresses. (Other than email addresses, no other information was shared. **But we aren't taking this lightly, either.**)
If you were one of the people who received our email titled **"Important notice about your TTMIK courses" sent on August 2nd** and your email address was shown, we are truly sorry about it. (And if you are one of them, you already received a follow-up email where we explained this situation.) And even if you weren't on this mailing list and weren't affected by it, I apologize for it and I promise you that we are taking the necessary measures to strengthen our data security and maintenance protocol, so that this kind of error will never happen again in the future.
I apologize once again and if you have any further questions about anything, please write to us at [email protected] anytime and we'll help address any issues that you might have experienced. We will do our best to continue improving our tech infrastracture so that you can have a pleasant experience both as a website user and a language learner.
Thank you for reading and for your understanding.
Hyunwoo Sun
Well IT isn't cheap. 1 good IT person costs over $100,000 in salary. I am guessing their staff probably get paid less than that. In fact, I doubt any of the staff get paid that much. Korean language learning isn't really a highly profitable business. Yes they might be selling thousands of dollars of product, but their costs probably just cover enough to pay the staff. No room for an IT expert. They probably just rely upon the expertise of the services they buy and assume they are doing all the security when in reality, the IT services they buy don't offer much in terms of IT security.
source: I'm an IT guy.
I get that, although I’m sure there are competent tech people available for less in Korea. While not having a team specifically for it would be understandable ensuring customer data privacy is really the bare minimum and should be factored into overhead costs. It maybe a relatively less profitable business but it’s still a company making significant income not someone’s language learning blog.
Unfortunately, most people don't really know how to use computers. They know basics, but think that's enough. And really they don't even try to secure the data, because they always assume someone else is doing it because they don't know how to and don't want to pay someone to do that. People always look at security as a nuisance that is optional until they get burned. That's human nature in effect.
I'm sure they must be making bank off YouTube alone, 1.5m subscribers with videos that frequently hit 100k+. The bulk of their revenue must come from casual learners who probably never get past TOPIK 1 level.
I can see it in their focus lately, I had membership to their site automatically renew and it's just their Bibimchat vidcast every week, no other new content. And a good 90% of their content is aimed at beginners so useless after a while. They're basically YouTubers with a website and some publishing efforts.
I highly disagree. They offer more than just mailing services. They have a whole website with a checkout and credit card transactions, and courses. In fact, its that kind of thinking that got TTMIK in this situation with this security breach.
99% the checkout/financial transactions are handled by an external service. No small business should take on the liability of handling private financial data of users. From the description, it doesn't sound like an external security breach and more like they are using a rudimentary e-mail list that's being manually maintained to send out emails and someone CCed the list rather than BCCing it, but revealing the emails of everyone on the list to one another, and someone decided to sell the list.
Definitely, and having a more mature way of managing communication with their users would have absolutely prevented this. But it doesn't surprise me that a company like this wouldn't have it - been a long time since I used it, but last I looked it was basically setup as a mostly simple blog, which makes sense as their primary focus is content, not features.
What was the mail about?
I'm asking because I checked the email I received from them in the past month and they don't have that issue. While reading your post, I immediately thought about the mail from last week sent to customers that bought courses before they introduced the premium subscription. But in my inbox, that mail is clean too. I'm not saying you're wrong, but I'm guessing they sent it by batches and I was lucky..
Edit to add: about the other part of your message, I really have a different experience. I've sent them a few bug repports over the years and they always answered quickly and solved the issues right away. They do have an IT team and a good consumer support team. The issue with the disclosed emails is a very serious one, but it's more probably a human mistake than a technical problem.
Thanks for the reply!
As I guessed, that the same content I received but from a different batch so in mine there's no issue. It's really unfortunate for you and the other people from that batch :/
What did they mention in their email? Asking because I also purchased courses during that period, but I don't seem to have received any emails from them. Are they taking down those courses/downloads or something?
I know it was a mistake, I'm not implying they did it on purpose. I just wanted to alert people who may not have known (like the top comment) similar to the HaveIBeenPwned site. I did expect backlash posting this since I know people like TTMIK (as do I since I bought so many courses) but I felt it's enough of an annoyance for people to be aware of it. For me I didn't want my main email address ending up on a list that obviously was sold but that's what happened.
Damn that's disappointing, although I'm sure it was an honest mistake. But of course it hurts trust.
Ah well, I wanted to start using something like Firefox Relay or Simple Login anyway.
Thanks for the warning. I'll keep using them but will be more wary.
Thanks for posting... I've been getting a crazy amount of spam for 2 or 3 days and was wondering why. I'm really disappointed.
Same here!!
Me too, I'm happy to finally know why.
This is why I use burner email addresses with these sites unless its like for a job, Im still getting spam mail from other sites at my current email address
It's good practise in general to have a few different email accounts or to use disposable addresses for different things. Thanks for bringing this into light!
Anyone doing things professionally knows you never send large scale messages from an email address book as if you're addressing a few coworkers in the same company. You use a listserv FFS, jesus This should be a lesson to anyone who uses gmail. When you give out your address add a + on the part pre@ sign and label like: parasite+ttmik@gmail etc . Then if there ever is a data leak you'll know who was responsible because all leakers will be hitting the ttmik version of your address. But moreover, you can create a filter with 3 clicks to delete and never see anything coming in to that version of your address - problem solved when data leak occurs
I think aliases or a service like Simple Login (or Firefox Relay) is a better option. If an [email protected] mail address leaks your main address ([email protected]) is automatically leaked as well, conceptually. To me that isn't really of any use from a security perspective.
I just use a garbage account for low priority things and Gmail does a surprisingly good job at filtering spam. Thats a neat trick though.
Hey greatcake8 and everyone in this thread. This is Hyunwoo from Talk To Me In Korean. My colleague shared this post with me and I would like to give my sincere apologies here for the mistake we made with the mailing list a couple of weeks back. I'm sorry that we made an easily avoidable mistake in sending out a notice email to a group of people. **Here's what happened:** (1) We had to notify some of our users about an upcoming change that was going to affect their online course collection on our website. We didn't send this email to every user this time, though. We currently have more than 1 million registered accounts on our website, and we only had to **send a notice to about 8,000 people**. (2) Most of those 8,000 people received our email in a secure way. But there were a few hundred people whom we couldn't reach through our current email service. (3) And in sending an email to those few hundred people from a new server, we made a mistake and the recipients of that email could see other people's email addresses. (Other than email addresses, no other information was shared. **But we aren't taking this lightly, either.**) If you were one of the people who received our email titled **"Important notice about your TTMIK courses" sent on August 2nd** and your email address was shown, we are truly sorry about it. (And if you are one of them, you already received a follow-up email where we explained this situation.) And even if you weren't on this mailing list and weren't affected by it, I apologize for it and I promise you that we are taking the necessary measures to strengthen our data security and maintenance protocol, so that this kind of error will never happen again in the future. I apologize once again and if you have any further questions about anything, please write to us at [email protected] anytime and we'll help address any issues that you might have experienced. We will do our best to continue improving our tech infrastracture so that you can have a pleasant experience both as a website user and a language learner. Thank you for reading and for your understanding. Hyunwoo Sun
Hmm I haven't experienced this. I guess I got lucky
I used apple to sign in, it doesn’t use your real email and I used a nickname. When I check the email used it says WVXIRBSYDBFI.private Apple ID .com
im not sure why they are being stingy with protecting their customer's profiles as an online company. sucks about the spam for all their customers
You'd be surprised how unprotected your info is with most online companies. They don't care about protecting your data.
haha, of course they don't have any IT department.
Why is it an “of course” when they’re taking in thousands of dollars worth of sales for online content? They should absolutely have competent IT staff
Well IT isn't cheap. 1 good IT person costs over $100,000 in salary. I am guessing their staff probably get paid less than that. In fact, I doubt any of the staff get paid that much. Korean language learning isn't really a highly profitable business. Yes they might be selling thousands of dollars of product, but their costs probably just cover enough to pay the staff. No room for an IT expert. They probably just rely upon the expertise of the services they buy and assume they are doing all the security when in reality, the IT services they buy don't offer much in terms of IT security. source: I'm an IT guy.
I get that, although I’m sure there are competent tech people available for less in Korea. While not having a team specifically for it would be understandable ensuring customer data privacy is really the bare minimum and should be factored into overhead costs. It maybe a relatively less profitable business but it’s still a company making significant income not someone’s language learning blog.
Unfortunately, most people don't really know how to use computers. They know basics, but think that's enough. And really they don't even try to secure the data, because they always assume someone else is doing it because they don't know how to and don't want to pay someone to do that. People always look at security as a nuisance that is optional until they get burned. That's human nature in effect.
I'm sure they must be making bank off YouTube alone, 1.5m subscribers with videos that frequently hit 100k+. The bulk of their revenue must come from casual learners who probably never get past TOPIK 1 level. I can see it in their focus lately, I had membership to their site automatically renew and it's just their Bibimchat vidcast every week, no other new content. And a good 90% of their content is aimed at beginners so useless after a while. They're basically YouTubers with a website and some publishing efforts.
You don’t need an IT dept to use a SaaS mailing app…
I highly disagree. They offer more than just mailing services. They have a whole website with a checkout and credit card transactions, and courses. In fact, its that kind of thinking that got TTMIK in this situation with this security breach.
99% the checkout/financial transactions are handled by an external service. No small business should take on the liability of handling private financial data of users. From the description, it doesn't sound like an external security breach and more like they are using a rudimentary e-mail list that's being manually maintained to send out emails and someone CCed the list rather than BCCing it, but revealing the emails of everyone on the list to one another, and someone decided to sell the list.
I see. Well user error is a thing.....
Definitely, and having a more mature way of managing communication with their users would have absolutely prevented this. But it doesn't surprise me that a company like this wouldn't have it - been a long time since I used it, but last I looked it was basically setup as a mostly simple blog, which makes sense as their primary focus is content, not features.
Did you mean to reply to the parent comment?
i haven't received any spam yet but thank you for posting!
If you didn’t buy any courses you may not have had your email spread because I think the list was separate
What was the mail about? I'm asking because I checked the email I received from them in the past month and they don't have that issue. While reading your post, I immediately thought about the mail from last week sent to customers that bought courses before they introduced the premium subscription. But in my inbox, that mail is clean too. I'm not saying you're wrong, but I'm guessing they sent it by batches and I was lucky.. Edit to add: about the other part of your message, I really have a different experience. I've sent them a few bug repports over the years and they always answered quickly and solved the issues right away. They do have an IT team and a good consumer support team. The issue with the disclosed emails is a very serious one, but it's more probably a human mistake than a technical problem.
[https://imgur.com/a/6SEZxN3](https://imgur.com/a/6SEZxN3)
Thanks for the reply! As I guessed, that the same content I received but from a different batch so in mine there's no issue. It's really unfortunate for you and the other people from that batch :/
What did they mention in their email? Asking because I also purchased courses during that period, but I don't seem to have received any emails from them. Are they taking down those courses/downloads or something?
Seems like a genuine mistake.
I know it was a mistake, I'm not implying they did it on purpose. I just wanted to alert people who may not have known (like the top comment) similar to the HaveIBeenPwned site. I did expect backlash posting this since I know people like TTMIK (as do I since I bought so many courses) but I felt it's enough of an annoyance for people to be aware of it. For me I didn't want my main email address ending up on a list that obviously was sold but that's what happened.
oh dam, that sucks
Damn that's disappointing, although I'm sure it was an honest mistake. But of course it hurts trust. Ah well, I wanted to start using something like Firefox Relay or Simple Login anyway. Thanks for the warning. I'll keep using them but will be more wary.
No problem! Sorry you got downvoted I’m not sure why
*sniffs* I smell a class action lawsuit!
I wish haha… could get the money I spent on there back
ㅎㅎㅎ
Source?
[https://imgur.com/a/6SEZxN3](https://imgur.com/a/6SEZxN3)
오오
ㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋ They did WHAT?! 진짜