A Post-Mortem on the Recent Developer Story Information Leak

“A bug that caused the user’s phone number and email address to render in the HTML source for people that weren’t the user or an employer attempting to contact the user went unnoticed, because the information wasn’t actually rendered on the page.”

Incident	#38 at Stack Exchange on 2016/10/11 by Tim Post (Community Evangelist)
Full report	https://meta.stackoverflow.com/questions/340960/a-post-mortem-on-the-recent-developer-story-information-leak
How it happened	A defect was deployed in a private beta feature (developer story CV) and the feature was made public. The defect wasn't noticed because the contact information was not visible on the page. 6 weeks later a user reported that a search for their phone number showed their public CV as the first search result.
Architecture	Web application rendering HTML for web browser clients.
Technologies
Root cause	A defect causing a user’s phone number and email address to be returned (unrendered) in the HTML source.
Failure	Email addresses and phone numbers of users included in HTML source.
Impact	Possible exposure of user’s phone number and email addres.
Mitigation	Fixed and deployed defect and worked with popular search engines and the Internet Archive to remove the data.