I raised a ticket earlier this week because one of my recipients received the body of an email which was not intended for them; a body of email containing healthcare related information for physiotherapy in France.
The subject line of my email was as intended, the body however contained completely different email, including personal data.
After an investigation my end, there was certainly no way this could have been generated by my server, because:
- The IP list is specific to my server, and my API keys require not my sending email address, but my account email and API key pass.
- My email payload is generated dynamically based on various conditions and the email is built at runtime not a static template that could be manipulated in any way. The body is produced on the fly at the time the email is sent.
- No unauthorised access to my sending server has been found and the sending server is behind cloudflare with limited ports.
After raising this as a concern, not of my customer’s data (which I am confident is secure), this was a concern that clearly another Brevo customer’s data has been sent to an unintended recipient, presumably due to SMTP relay buffer or something related to mismatching of the content over network.
I have used Brevo for nearly 10 years, 7 with another company and trusting the business for the latest 5 years with my own businesses.
I therefore feel let down by the fact that after raising a ticket, it has been ignored now for 48 hours and my transactional account abruptly suspended with the blame placed on me. This comes only 2 months after I purchased a £350 annual marketing plan.
I refuse to accept that what has happened is solely my fault, however I have taken steps to protect this better my end including:
- Upgrading from PHPMailer 6x to 7x (both of which protect against email body injection!)
- Disabled passive SMTP meaning a new connection is opened and closed with every email.
Given that the Brevo platform lists the email as sent from a French IP, the Body of the mismatched email is French and Brevo is headquartered in France, I cannot find any justification for disabling my account so promptly.
Can someone re-open my account please. I raised the ticket as a concern for other customer’s data, not my own customers data which has not been breached!