A Personal Note from Klaviyo’s Head of Security and Trust
Building relationships with your customers can be incredibly rewarding. As you learn more about who your customers are—what they like, what they dislike, and what they ultimately expect from your brand—you discover how to better serve them with relevant, personalized experiences that lead to long-term loyalty.
We talk a lot about how owned marketing—the process of taking control of your growth by taking back control of the customer experience—is fundamental to the growth of a sustainable online business. And one of the core tenets of owned marketing is to be human and to think long-term.
Part of being human is admitting your setbacks. And part of being a human brand is being transparent and communicating with your customers not just when things are going well, but also when things don’t go according to plan.
Today is one of those days for the team here at Klaviyo.
I’m writing today to let you know that we experienced a security incident with our opt-out related forms that resulted in the unauthorized access to non-sensitive information—email addresses—for less than one percent of the profiles we store for a subset of our platform users. If you were part of the subset of Klaviyo accounts impacted by this incident, we’ve already sent you a notification.
Here at Klaviyo, we send emails on behalf of our platform users and, as required by CAN-SPAM in the U.S. and equivalent laws in other countries, we provide recipients with the option to unsubscribe from marketing emails and you can also provide them with the ability to manage their communication preferences. When your recipients click the unsubscribe link in an email, they’re directed to an online form to complete the opt-out process or update subscription preferences.
We built a feature that would automatically populate your recipients’ email addresses in these opt-out related forms. We built it this way to make it easier for your contacts to unsubscribe or update their preferences, which helps them have a better experience with your brand.
Typically, an opt-out related form pre-populates your recipients’ email addresses, which is the only possible field for an unsubscribe form and the default configuration for the preferences form. If you configured your preferences form to include additional fields, like physical address or first or last name, that information would also be automatically populated into the form. The preferences forms are not designed to include sensitive information, such as government IDs, Social Security numbers, financial account, or payment card details, and we have no reason to believe that any of our customers configured their preferences forms to include these types of sensitive information.
While the intent behind the feature was good, it was not immune from vulnerability. Within the unsubscribe form’s URL, there are two key parameters: an obfuscated six-character case sensitive unique company and profile identifier. The update subscription form functions in the same way after a recipient clicks a manage preferences link. The malicious actor was able to manipulate one or both of the key parameters within the unsubscribe or update subscription URL, which resulted in unauthorized access to any email address populated into the form, which could then be scraped by that malicious actor.
Once we discovered that this activity was taking place, we took steps right away to immediately mitigate the effect and we launched an investigation to fully understand the scope of what happened and how this occurred.
As a result, we’ve changed the way our platform responds to opt-out and preference links to prevent information from being rendered in these forms if there’s been a change to the URL.
At render time, we now sign the URL with a hash-based parameter and a secret token. If there are any modifications, we won’t serve your customer data for the subscription endpoints. We’ve also formalized a paid bug bounty program to allow security researchers to responsibly disclose vulnerabilities within our platform.
Additionally, we’ve reviewed and updated our logging and monitoring metrics and alerts, implemented new tooling, and we’re continuing to build out our security and trust team.
While this incident affected limited non-sensitive information, that doesn’t change the fact that we’re accountable, and we expect more from ourselves.
We sincerely apologize to you, our valued customers. Klaviyo is committed to enforcing the highest standards in data security and to be a transparent company—and these commitments are two of the primary reasons I joined the team in August 2019.
As Klaviyo’s new head of security and trust, it’s my responsibility and the responsibility of the team I lead to ensure that both our company and our product are held to the highest security standards, and that if a security incident does occur that impacts our customers, we not only take immediate required actions but that we also communicate with you in a timely and transparent way.
Data security is hard and we have various safeguards in place to help us identify, detect, and prevent these incidents, but they may still occur from time to time. We’re committed to proactively and continually taking the steps needed to safeguard the information others entrust to us so that you can deliver a secure and incredible experience to your subscribers and customers.
If you have any questions or concerns, please email email@example.com and we’ll get back to you as quickly as possible.Back to Blog Home