Data breach?

I use a unique email address on every site I register on, including GitLab. A few hours ago, I received spam from Follow Analytics trying to sell me mobile development services. It was addressed to the email address I registered with GitLab. I haven’t used that email address anywhere else.

I double-checked my profile, and my Public Email setting is set to Do not show on profile. I don’t have any public repositories. I do have a public snippet, but I didn’t commit to that snippet using that email address. I have three applications connected to my account – this forum (just added), GitLab Subscription Portal (customers.gitlab.com), and Pulumi. Pulumi has the api and read_user permissions, which if I understand correctly, only allows access to the value of my Public Email setting, so that’s not the source of the leak.

I don’t want this email address to be publicly visible, and as far as I can see, none of my GitLab settings or activity has made it public.

Normally when this happens, it’s because the service in question has suffered a data breach. Has GitLab suffered a data breach? What other possibilities are there for somebody to obtain this email address? Has anybody else received spam from Follow Analytics (followanalytics.com)?

I think if you are using an API and you give it read access to your profile, then it has your email address, irrespective if you have marked it as do not show on profile. Remember that your profile availability via browsing the gitlab/github website isn’t the same as accessing your info via API. Therefore there is every chance that Pulumi has access to your email address and could be the source of the problem.

I use an email on gitlab and I haven’t registered it to use any API service, and I haven’t received such spam from Follow Analytics.

Receiving spam within a few hours after utilising an API service is more likely to be the source of the problem. A data breach is unlikely in such a short time scale from you registering on the site, and then immediately being spammed. The data would have had to be published somewhere and then propagated to be utilised so that can be pretty much 100% ruled out. In that such situation, spam would probably start weeks or months after a breach. So I don’t see how that can be possible taking into account the intricacies of what is involved to breach and obtain data.

I think if you are using an API and you give it read access to your profile, then it has your email address, irrespective if you have marked it as do not show on profile.

The read_user permission has the following explanation:

Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.

Receiving spam within a few hours after utilising an API service is more likely to be the source of the problem. A data breach is unlikely in such a short time scale from you registering on the site, and then immediately being spammed.

I haven’t just registered. I’ve had my GitLab account for years and I connected the Pulumi application months ago. This spam is out of the blue and not connected to anything that’s happened on my GitLab account recently as far as I am aware.