Unpleasant emails Team Navalny apologizes after database of email addresses registered for planned protest leaks online
Team Navalny is looking into how a database of email addresses registered for their “Freedom for Navalny!” protest campaign leaked online. Journalists from Open Media first reported the leak on Thursday, April 15, after receiving copies of the database in an email attachment. The leak took place on the same day that Navalny’s Anti-Corruption Foundation released a new investigation into Vladimir Putin’s official residence in Valdai. Team Navalny has apologized for the incident, and assured that the database itself doesn’t contain any personal information other than email addresses. Navalny’s chief of staff told Meduza that the leak hasn’t affected his team’s preparations for the planned protest action.
On Thursday, April 15, Alexey Navalny’s Anti-Corruption Foundation (the FBK) released a new investigation into Russian President Vladimir Putin’s official residence in Valdai.
Later that evening, journalists from Open Media reported that unknown individuals had gained access to the email database from the website of the “Freedom for Navalny!” campaign, where the opposition politician’s supporters can register to take part in a planned countrywide protest action demanding his release from prison.
Open Media reported the leak after several of the outlet’s journalists who had registered with the protest campaign received emails with the website’s email database attached. The leaked database included their own email addresses.
“The attached file [contains] the entire email database — you can find your own [email address] there. For those who have doubts, in addition to the email address, we have added the time of your registration and its confirmation. This will help you remember the moment when you put your data in the hands of losers. There are 529,000 email addresses — 70 percent are bots, but there are also living people, like you,” the anonymous email said.
According to Znak.com, the people behind the emails also said that they have begun to deanonymize the information in the database, after which they plan to sell it to advertising companies.
Team Navalny confirmed the authenticity of the database and apologized for the leak. The database was used for distributing mail-outs to registered email addresses using the online service Mailgun, explained FBK director Ivan Zhdanov, assuring that Navalny’s associates have launched an investigation into the leak.
“This is exclusively a database of email addresses, without last names, first names, or any further details. The dirtiest trick the attackers can do is send you an unpleasant email, which will likely end up in spam. [...] We apologize for the trouble [this] has caused. This is the first time this has happened. We’ll do everything to prevent this situation from happening again.”
In a comment to Meduza, Navalny’s chief of staff Leonid Volkov said that the leak has in no way impacted his team’s plans to go forward with the “Freedom for Navalny!” protest.
“This question sounds a lot like, ‘Are you planning to terminate your pregnancy because dill prices went up in Argentina?’ Preparations for the rally are underway, an investigation into the incident involving the publication of the Mailgun logs is underway, there is no connection between these two events,” he said.
The new “Freedom for Navalny!” campaign was announced in late March. Team Navalny launched a dedicated website and invited Navalny’s supporters to register to take part in a planned protest action in support of the jailed opposition politician. To sign up, you have to register your location and email address.
According to the campaign website, more than 440,000 people have registered at the time of this writing. Navalny’s associates plan to announce the date of the rally when the campaign registers 500,000 supporters.
On January 23 and 31, as well as on February 2, pro-Navalny protests took place in more than 100 cities across Russia. More than 11,000 people were detained across the country during the three days of demonstrations, and investigators launched dozens of criminal cases in connection with the rallies.
On February 14, Navalny’s associates organized small flash mobs in neighborhoods across the country, under the slogan “Love is stronger than fear.” This protest action took place without any arrests.
In February, the business newspaper Kommersant reported that a database of alleged Navalny supporters had appeared online. The file contained the full names and phone numbers of nearly 30,000 people. The company InfoWatch said that the data was likely scraped from open sources and wasn’t necessarily the result of a leak.
Update: A representative for Mailgun shared the following statement with Meduza: “Earlier today, a customer reported that their account had potentially been compromised, and we are actively helping them investigate any suspicious account activity. Based on our initial findings, there are no indications of a platform-level vulnerability or data breach. Our team has identified that valid API keys and user credentials were used to access the data from our platform, and we are providing our findings to the customer to assist in their investigation. Mailgun takes data privacy very seriously. We take every precaution to protect our customers’ data and provide multi-factor authentication, session timeout preferences, role-based access control, and other security features to prevent unauthorized logins.”