Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
> A third-party service used by BrowserStack siphons off information to send to others.
> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.
Or the simpler answer, their db/email list has been compromised.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
https://knowledge.apollo.io/hc/en-us/articles/4409141087757-...
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
I don’t know how to stop it
Caught quite a few leakers that way, by using specific addresses for specific sites or categories of sites
(Last time I tried, Gmail's aliases were useless; they included your real address in the alias!)