Sex Lube Maker's 250K Customer List Slides Onto Net -- Updated With Astroglide Comment

More than 250,000 people's names and addresses are now naked on the web after the maker of a popular sexual lubricant called Astroglide accidentally exposed lists of people who bought or requested free samples of its products, proving that there's no such thing as a free lubricant. BioFilm, a privately-held California company specializing in sexual lubricants, exposed customer data files dating from 2003 to 2007 to Google's search engine in early April. Google then indexed the pages and made local cache copies. A search on an individual's name now reveals that person's home address and the product they requested or ordered.

AstroGlide, a once niche product that is now stocked by major drugstore chains and Walmart, took down its free sample page on Monday in the last few days (cached copy). The page promised users that "All information will be used for mailing purposes only and will not be distributed to any outside organizations. Except maybe the paramedics if your free trial gets out of hand."

The company's privacy policy also promises that:

We take reasonable steps to protect your personally identifiable information as you transmit your information from your computer to our site and to protect such information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. [...]

Other than as disclosed in this Privacy Policy, we will not contact you with marketing material or share your PII [personally identifiable information] with outside parties unless such use or disclosure is clearly identified at the time you provide your PII or we provide you the opportunity to consent or prohibit such use or disclosure.

The files indexed by Google contain a total of 263,822 listings, each of which included a name and mailing addresses. No financial information was exposed. A random sampling included privacy conscious entries such as Current Resident and clearly fake entries for President George W. Bush and former Republican Senator Rick Santorum. Possibly less humorous are the tens of thousands of entries from people who used their real names. These included included doctors, programmers, students and a vice chancellor for a prestigious American university.

The vice-chancellor reached by phone said he wasn't particularly disturbed by the disclosure. "Obviously I would be disappointed [by the company breaking its privacy policy], but I'm not worried about that information getting out. I think I just gave them my name, address and phone number. I can see how other people would be concerned about it, though."

BioFilm is closed on Mondays and multiple attempts to reach the company were unsuccessful.

Anyone searching Google on the affected names would be able to find links to Astroglide customer files that Google indexed on April 3. The links no longer work, but Google cached copies of more than 500 files, which are still available for any internet user to view. Michael Hampton, a blogger who runs Homeland Stupidity, reported on Saturday that the company learned of the security lapse last week and took technical measures to prevent the files from being indexed or read directly.

The company's website makes no mention of the data security lapse, and it's unclear if the company has asked Google to remove the files. THREAT LEVEL reported the cached files to Google before publication.

Google doesn't treat the files as highly important, so the results are not extremely visible for those who have more than a handful of internet citations or have a common name. But for those with only one or two search results for their names and an unusual name, any searcher can easily see that person once requested or bought lubricant online.

UPDATE 6:00 pm PST: A Google spokeswoman writes in:

Google's cached links were developed to provide users with a back-up in case the original page they seek is unavailable. In addition, cached pages benefit users by loading quickly and highlighting search keywords on the page. The feedback from users and webmaster, who find benefit in the feature as an emergency back-up copy of their pages, has been positive. At Google we recognize that privacy is important, which is why we offer a simple process to tag pages so that they are not cached. In addition, Google provides webmasters with an automatic URL removal system, which enables webmasters to quickly remove their pages, including cached copies, from the Google index in the event that information has been mistakenly published.

Update 2 10:30 a.m. 4/24 : Reader Danielle, who says she was the first to find and spread the news of the spill, writes in to say that Google isn't as fast as they claim to be:

I'm the person who originally spotted this breach and alerted other about this; I submitted my request to Google to remove the cached copy of my file on Friday night - it's Tuesday and it is still up. The tool said that it would take 3-5 days for removal. They refused to expedite it on grounds that it doesn't really contain personal information, like an SSN or CC#. So no, Google, that is not quick removal. In internet time, that is forever.

Danielle wasn't the person who tipped us to the story. We heard about it from tipster DS. Thanks, DS

Update 3 2:15 p.m. PST 4/24: Astroglide's PR rep contacted us to make clear that the files were first indexed early this month. The company learned of the files on April 12, and says it's been jumping through hoops since then to get Google to remove the cached files. The company was "horrified" by the release and is so privacy-protective that it never even used these names and addresses for follow-up marketing, the spokeswoman added.

Full Statement:

Biofilm, Inc., manufacturer of Astroglide and other personal lubricants is taking immediate action to protect the identity of consumers requesting samples from the company’s website.

According to Lisa O’Carroll, Vice President of Sales and Marketing for Astroglide, became aware of the problem on April 12. “We received a call from someone who had looked up his own name on Google and found, among other entries, his request for an Astroglide sample. We immediately investigated and discovered that this was limited to Google. Text files were not available on Yahoo or other search engines. Although this was clearly a Google issue, Astroglide didn’t want to waste any time in fixing the problem in order to protect the security of our customer files. We have never sold nor shared any of our database information, and we don’t even recontact people. Although what transpired was beyond our control, Astroglide has always made the security of our internet customers our top priority and we deeply regret this unique and unfortunate occurrence."

Google began aggressively indexing a limited portion of the sample requests in mid-April. Most affected were the records were for the period August 2003 to January 2004. Matthew Eckmann, webmaster for the site, personally investigated approximately one dozen consumer queries about the leak and discovered that the site’s text files were appearing as search results. “The first step was to remove all the compromised files from the Astroglide website, so if someone clicked on the link it would take them to the “page not found” standard browser error. We then moved all files containing any consumer data on the webserver to a new secure location. We also wanted to remove cached files. Removing the content provides a dead link, and Google has processed our requests and removed their cached text files.

“Everything was all done using Google’s recommended protocols,” Eckmann adds. “The difficulty is, there is no live Google support for their free services. Their search and webmaster tools are considered a free service, all phone trees end with recordings. In the absence of someone at Google to give us an estimate of how many files were affected, we had to figure it out unilaterally. Fortunately, we were able to do so quickly and have put the Google correction procedures into place. We’ve handled more than 500 files already, and should be finished in another day or two.”

In addition to the individual page requests, Eckmann followed Google’s online instructions to create and install Google-specific index parameters in both text and XML, which tells the search engine which pages are indexable and which are off limits, and which will cause any previously found pages to be removed from the Google index. “We’ve updated long- and short-term protections in order to prevent a recurrence of this situation,” he points out. “This meant changing the file structure of the web server, changing the data access protocols and the Google bot access files, as well as making specific requests for the removal of every data file that may have been indexed. We have also taken down the sample request form until further notice. It’s unnerving when something like this happens, but with all the activity on the internet, these glitches are unavoidable. Fortunately, we were able to respond quickly and get it handled without delay.”

Calling it a Google issue is more than a bit self-serving. These files never should have been stored on a webserver. They never should have been anywhere a google spider could find them. And if the company never planned to do anything with the data, the files shouldn't even have existed. They should have just been destroyed.

UPDATE 11:00am PST 4/25: A reader writes in to make the excellent point that for some people, such as those being stalked or victims of domestic violence, having their address in the Google index puts them at risk of bodily harm:

I don't care who knows that I use this product. It's the fact that someone that I know may find my home address because of this. That someone is a stalker. My family and myself could be in danger,again. I did a search on this topic and it's all over the net. That's not good, for me or my family.