Foursquare Was Leaking Your Data, Too Busy With Funding To Tell You

Wired says that a few days ago, a white hat hacker found a way to capture the location data of all of Foursquare (which we can only describe, for those who remain unaware of it, as a location-based, social media experiment in solipsism that distinguishes itself by offering Starbucks coupons) — even if users had opted-out through privacy settings.

The company asked this helpful hacker to give them nine days to fix the problem. After the nine days were up, the company said they’d fixed one of the security holes, but were still working on two others. Then they announced that they got $20 million in venture capital and mysteriously didn’t mention the fact that they’d been broadcasting everyone’s location data to the entire Internet in violation of their own privacy policy. Teehee!

From Wired:

The company also didn’t respond to two separate e-mails from Monday and Tuesday, asking for comment. And to the company’s benefit, the news cycle focused on what Foursquare board member and venture capital investor Bryce Roberts tweeted as “the wire transfer heard ’round the world.”

Even after’s story on the breach ran Tuesday, the company had no reaction to the news of the breach. The company’s blog trumpeted its big funding, with links to its new office and entreaties for programmers to apply for a job, saying, “Look forward to more great product from us soon … we’re really just getting started.”

In response to a follow-up e-mail Wednesday morning, Foursquare’s PR manager Erin Gleason said the company had been “swamped for the past couple of days preparing for yesterday’s announcement, and your message was buried in my inbox.”

The response is quite telling. Foursquare had nine days to write a simple blog post, acknowledging the hole, explaining the fix and telling users they could opt out in the future and giving credit to Andersen. That’s how responsible disclosure works. But the company didn’t do any of those things.

From that it’s clear to see that Foursquare isn’t focused on its privacy practices, and seems to be ignorant of the consequences of violating its privacy promises to users.

Since the two Wired articles went up Foursquare has posted a notice to users. You can read it here.

We think the first comment on the apology post sort of sums up the way people feel about this issue:

Translation: A smart hacker we won’t credit (Jesper Andersen) totally busted us violating our privacy policy, but we didn’t say anything until after we cashed the $20m check and we hoped it would just go away. But a blogger e-mailed our funders so we had to put in a real fix this a.m. and write this blog post.

For more about the security hole, check out Wired’s original article.

We wanted to update you on recent improvements [Foursquare]
Foursquare Puts Money Before Privacy [Wired]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.