I use a unique email address on every site I register on, including GitLab. A few hours ago, I received spam from Follow Analytics trying to sell me mobile development services. It was addressed to the email address I registered with GitLab. I haven’t used that email address anywhere else.
I double-checked my profile, and my Public Email setting is set to Do not show on profile. I don’t have any public repositories. I do have a public snippet, but I didn’t commit to that snippet using that email address. I have three applications connected to my account – this forum (just added), GitLab Subscription Portal (
customers.gitlab.com), and Pulumi. Pulumi has the
read_user permissions, which if I understand correctly, only allows access to the value of my Public Email setting, so that’s not the source of the leak.
I don’t want this email address to be publicly visible, and as far as I can see, none of my GitLab settings or activity has made it public.
Normally when this happens, it’s because the service in question has suffered a data breach. Has GitLab suffered a data breach? What other possibilities are there for somebody to obtain this email address? Has anybody else received spam from Follow Analytics (