Tags
email, Grouply, groups, identity theft, passwords, phishing, scam, usernames, Yahoo, Yahoo groups
a few days ago, someone on one of my Yahoo! groups innocently posted a “helpful” suggestion to use a service called Grouply to manage emails and digests from multiple Yahoo! groups… after doing a bit of poking around, I’m forced to conclude that Grouply is nothing more than yet another phishing scam, b/c the only thing they DON’T appear to go after (at least not that I know of) is credit card and/or bank account info while Grouply may not be phishing, they DO collect usernames and passwords (btw, giving this info to a third party probably violates the Yahoo! Groups TOS — see para 5), which not only puts your own info at risk, but it exposes the info of everyone in your groups as well… also, there’s currently no easy way to unsub from Grouply: someone who’s signed up has to call or email Grouply, and they’ll unsub you (you hope!), but in all likelihood they still retain any info/data that they’ve managed to collect about you AND the members of your groups… phishing scams like this don’t get caught in anti-virus and anti-spam software; ANY time someone asks you for access to your usernames and passwords, run far, and run fast!! think very VERY hard about what that person/entity COULD do w/your info if they decide to abuse it, and whether or not you’d want to be held responsible for anything they might do under your account info… I’m personally not willing to take that kind of risk…
Rich Reimer said:
Tanya,
I am co-founder of Grouply. Unfortunately, a few misunderstandings have occurred that we are trying to correct…
We do not SPAM. People are referring to the invites that enthusiastic users are sending to their groups. We provide a template they can use, but unfortunately most people do not change the text so it looks the same to all groups (and may look like SPAM). People were not choosing which groups to send – so some groups were getting multiple invites. We just changed it so that people cannot send an invite to a group if one was sent recently.
As far as security goes, we carefully protect your Yahoo password – we do not phish. We use it only for discovering your group list and retrieving messages – we will NOT use it for anything else, like your Yahoo email.
What I have discussed, we have posted publicly on our website on how we protect you: http://blog.grouply.com/protect. There is a negative posting speculating about Grouply – here is our response to it: http://blog.grouply.com/rebuttal.
But don’t take our word for it – check out what John T. (a respected moderator of the ListHelp group) said: “… My initial impression of Grouply.com was mistaken. They aren’t
stealing content or violating the privacy of our archives… In short, they are a Value Added Resource…”. You can read the full post at http://tech.groups.yahoo.com/group/ListHelp/message/37871 (you may have to join the ListHelp group).
Hopefully, as you can see, much of what is written is speculation, often by people who have not even tried Grouply. Hopefully these facts help clear it up.
If you would like to talk to a “human” 🙂 about this, please feel free to call me at our office 1-650-568-9824.
Thank you for your consideration.
Rich
http://www.linkedin.com/in/rreimer
andyswarbs said:
Surely people enter usernames and passwords into email programs such as Microsoft Outlook every day. Surely people access the Internet using password authentication. Also people enter yahoo usernames and passwords into their party tools quite often. One instance is Trillian which can then be used to send and receive IMs. Are you suggesting that trillian and other companies that do this sort of thing are phishing as well?
tanyaross said:
Andy, I can’t argue w/the first part of your statement: I myself enter usernames and passwords into tools such as my online banking, my web-based email, etc.; I even occasionally use multi-IM consolidator clients (like Trillian and Adium)… HOWEVER, there’s a BIG difference between entering personal information (such as usernames and passwords) myself, and handing that data over to a third party to “manage” it for me… other people may not see a distinction, but as Ben Franklin once said, “Three may keep a secret, if two of them are dead.”
tanyaross said:
Rich, I appreciate that you’re trying to clear up “misunderstandings” about Grouply, and I’m willing to admit that my initial opinion may be invalid IF I see evidence of that; however, I’m not yet convinced that I’m wrong… from what I’ve seen, Grouply behaves in ways that override privacy/security features that group owners/mods have set on their groups, and as an owner/mod of Yahoo! groups myself, I do see that as a problem…
bottom line is, Yahoo! Groups TOS states in para 5: “You are responsible for maintaining the confidentiality of the password and account and are fully responsible for all activities that occur under your password or account” — personally, I’m not willing to accept responsibility for what a third party may or may not do w/my acct info, and I’m going to continue to discourage others from exposing themselves to that risk as well…
Diana said:
Tanya,
Grouply has been certified by TRUSTe, an independent advocate of consumer internet privacy. In addition, Grouply ensures that your Yahoo password is encrypted and can be read only by the Grouply application, not directly by a human. Here’s more info about Grouply and how they protect the privacy of your password: http://blog.grouply.com/protect#password
In response to the users wishing to discontinue their Grouply account, Grouply provides a self-service delete feature. Go to http://www.grouply.com/discontinue.php and follow the directions.
I’ve been a user of Grouply for quite a while now and I’ve been very impressed–it definitely helps me keep up with all of my Yahoo Groups.
Regards,
Diana
Shyanne said:
I am a bit confused about this whole Grouply business. It was just brought to my attention yesterday that Grouply even existed. I am the owner of a very large Yahoo support group which has 100+ posts a day. Archives are only viewable by members that must be approved through a very detailed process for security reasons. Am I understanding this right, if one of my group members is a member of Grouply ANYONE that views that persons profile will have access to my groups messages even if that person viewing the profile is NOT a member of my group?
If this is the case, HOW do I go about stopping it? I have spent 7+ years protecting members of my group, and this flaw in the groups security really disturbs me.
Lscebay said:
Hi, what is the status of Otherinbox?
Also YouTube. I fear relaying my email address to you and everyone else as Grouply seems to have very long tentacles!!!
tanyaross said:
sorry, couldn’t tell you about Otherinbox as I’d never heard of it before your comment, but a quick Google search doesn’t turn up anything more scary than bacn. however, do your own due diligence and proceed at your own risk. good luck!
~~T
tanyaross said:
Shyanne, if you’re not already a member, I would highly recommend joining the EmailList-Managers group on Yahoo — there’s a very useful discussion going on right now that is bringing to light not only some of the GROUP privacy/security issues but also possible solutions for addressing them, which unfortunately seem to consist primarily of removing group members who’re “Grouplies” (gimme a break)… btw, I say “unfortunately” b/c I know few list owners/mods who take any pleasure from removing people from their groups, but if group privacy/security is a concern, there doesn’t currently appear to be any other alternative…
Phoenix said:
Grouply may not spam but they certainly do have their members spam. Im sick and tiredof seeing the grouply message from people I dont even know.
Jeff said:
I just found this blog by googling for groupy and “yahoo password”. I know it’s several months old, but here’s my two cents.
I don’t know if the Grouply founder is still checking messages here, but to him I say: Sorry, I’m not about to enter my password into a website where it’s stored where I have no control over it. The comparison that somebody made is to third party tools. But I enter my password into those tools (and often they run locally on my computer). That’s a far cry from putting it into some company’s database.
And for them to claim it’s encrypted is nonsense. If it uses one-way encryption (the only way it would be secure) then it couldn’t be fed into Yahoo Groups to log into my account. That means it’s two-way encrypted; it must be decrypted and then sent to Yahoo Groups. And that means Grouply has the ability to decrypt and look at your password any time they want.
Sorry Grouply. You might have honest intentions, but there’s no way to make me feel comfortable that it’s safe. I’m not touching your service.
Dawn P. said:
I am in a Yahoo group. Someone’s info was gotten by Grouply. Next thing she knows there was a post in our group saying she is using grouply and inviting people to join. She has no idea how it got there. She did not even type it, and is now upset. So now our whole group is now possibly exposed. We are working on what to do to get her out.
I AM ALSO GETTING INFO TO GIVE TO A FEW YAHOO OWNERS, I know so that we dont’ have to worry about the personal info we have in the groups. I also for now took my address out. Something needed for the kind of group I am in.
Dawn P.
raindog469 said:
In numerous groups of which I’m a member and which have forbidden Grouply from posting its allegedly user-generated spam, I’m now getting direct emails with a From address of some random person, all with this wording:
“We share the ____________ group. I want to add you as a friend in
Grouply so you can see my profile with my pictures, my groups, and my favorite group messages.”
Either Grouply is spamming, or the users who are doing this are spamming…. and considering the identical wording, I’m not willing to lay this entirely on users who didn’t see the “Skip this step” button. I’ve been reporting the members responsible for these invites to the owners of the groups in question, and most have been getting deleted from those groups. While there was a reference to Grouply in the body of the email, there was none in the headers, making it especially slow to block these mails (you can block emails with grouply.com URLs in them, but that means your filters have to scan the whole email and not just the headers.) But that isn’t the most irritating thing about these unsolicited commercial emails.
Looking at the headers of the emails, they’re being generated through Yahoo’s web interface, which explains how Grouply can send me emails without me having made my email address public. If you click on the little envelope icon next to someone’s post to a group, it gives you a web form to send them an email without revealing their email address to you. However, if I then click the Unsubscribe link at the bottom of one of the emails, it takes me to a page where I have to PUT IN MY EMAIL ADDRESS ANYWAY.
In other words, they’re building a “Yahoo ID to valid email” database, and anyone who doesn’t want to be spammed by Grouply or its members is unwittingly providing them with a way to do so. They, and their defenders, claim that their mass-mailing of invitations is no different than those of other social networks, but other social networks do not attempt to circumvent Yahoo’s email address security in this way, nor to my knowledge do they bulk-mail random people who have posted to a group on a service not owned by them.
The only acceptable solution is for Grouply to not require an email confirmation after we’ve already clicked on the unsubscribe link with the unique ID in it. Or if they’re really worried about mass accidental blocking of their spam, they should send a confirmation through the same means by which they sent the original spam.
It won’t matter to me because I’ve now added a subset of the grouply.com registration URL to my spam filters. It’ll slow down my mail retrieval, but I learned a decade ago never to give your email address to someone who keeps finding new excuses to send you unwanted solicitations.
lorrwill said:
Found you with the same complaint: I am getting Grouply emails left and right. Ironically, Yahoo does not tolerate Grouply users spamming Yahoo address. Comcast supports Grouply spamming.
I am about to got postal through the authorities (UCE, etc.) on Comcast.
Rocky said:
Since joining grouply, my email is bombarded with:
Delivery Status Notification (Failure).
Someone has forged my email and making it look
like I am sending SPAM.
I want out of Grouply….Period.
Rocky
Moishe Chaim Pippick said:
1. Grouply is not a spammer.
That is a bald faced lie. I have gotten several invites from people on groups that I belong to and each time when I investigated it, these invites were sent without their permission because they had given up their passwords to this scam.
tanyaross said:
this is one of the biggest reasons that I still strongly advise against giving one’s passwords to a third party: aside from the fact that it’s basically a violation of Yahoo!’s TOS (pls see the link in my original post above), and despite Grouply’s claims to the contrary, actions definitely speak louder than words, and anyone who gets mixed up w/Grouply often finds themselves unwittingly spamming every Yahoo! group they belong to and are then at a loss as to how to undo the damage, let alone how to prevent more spam from being inflicted on others under their name… I still say Grouply’s touted “convenience” is cold comfort for the associated aggro/risk… ~~T
lbjack said:
Grouply is definitely a scam. I don’t care how innocent they play.
You get a friend request from an unknown user. The link takes you not to the user but to a teaser page that says to see the user’s profile, etc. all you have to do is provide your Yahoo password.
Grouply is NOT a Yahoo site. Grouply is absolutely a phishing site, and any claim to the contrary is a LIE. This is not something some rogue user sets up but is built into Grouply Yahoo should sue Grouply for soliciting Yahoo passwords.
Henry said:
I’m a Software Engineer who has been involved with web programming since 1993 and other forms of multiple user online environments since 1991.
Grouply is a very bad idea. Don’t sign up for it. Don’t believe the claims that because they encrypt your yahoo password it can’t be used for bad things. Somewhere in their system that password has to be decoded into the plain text form and that is a point of vulnerability.
I trust a company like LinkedIn not to abuse my private info. They have a long history of doing the right thing. Giving your Yahoo password to Grouply, a company that sends misleading emails to entice you to join, is like handing your bank ATM card and password to the guy who is telling you made up stories to get you to give him cash so he can buy a bottle of booze. Maybe he’ll be more honest with your info in private than he was to you in your face but don’t count on it.
Dapper said:
Someone needs to point out to the owners of Grouply that SPAM is defined as any unsolicited email promoting a service or product, aka UCE. Doesn’t make any difference if the product being offered is free or not. Doesn’t make any difference if Grouply sent it or a Grouply member, it’s still SPAM.
I’m much more concerned about Grouply harvesting the messages from the many Yahoo groups, as well having my email address via the Grouply members who are in Yahoo Groups I belong to. Before Grouply, only Yahoo & the members of the group had access to the content. Not exactly private, but at least it was within a certain sphere of control. Grouply has blown all that away now. I didn’t sign up for Grouply, yet they now have much information about me.
Sure they might (maybe) have good intentions now, but how about a year or two from now when they start to run out of money. Or how about the issue of a rogue Grouply employee with access to all this information.
Joe said:
Let me make this simple: DON’T JOIN GROUPLY. IF YOU GET A GROUPLY RELATED E-MAIL DELETE IT.
I’m not accusing them of doing anything sinister, abusing privacy, etc. But, unless you are tech-savvy, very cautious, THE UNIVERSE WILL GET EMAILS FROM YOU THAT YOU NEVER INTENDED TO SEND.
Nay :) said:
Thank you for writing a honest submission about grouply, Tanya.
Rob said:
Taking or using without consent is theft. grouply uses their members email addresses to send their spam phishing emails. Which makes grouply THIEVES. When you read all the messages they write LIES to cover up for all the complaints made against them. Is there any other service getting as many complaints as grouply? Surely, thousands of group owners or moderators can not be wrong.
Thieves and liars are EVIL
I do not want grouply in any of my groups, but if just one member is conned into joining grouply, I don’t have any option but to accept them and their evil scams.
If you are a group owner/moderator, You may think you’re being clever by deleting any grouply email to your group(s) but just click on the “Management” Link then “Web Features,” and see how many of your members are getting individual invitations from grouply.”
They are sneaky enough to contact your members by stealth.
Finally, to anyone who is a member of grouply, beware, they DO read your mail and delete anything that mentions grouply. This isn’t just my thoughts, IT’S A FACT. I actually replied very rudely to several of grouplys scam emails supposed to have come from their members, and got a reply from grouply to tell me they were blocking my email address so I wouldn’t get any more of their spam scams. Thankfully it’s true I don’t get anymore of their SCAM emails. So I hope they keep blocking me. But better still block my groups so their members can’t access them.
Joe said:
Rich the Grouply co-owner says, “We do not SPAM. People are referring to the invites that enthusiastic users are sending to their groups.”
I won’t call this an outright lie, let’s just say it stretches the truth. Grouply spam– oops, I mean “invites”– start immediately upon signing up BEFORE THE SERVICE IS EVER USED… enthusiastically or not.
The VERY FEW people on various blogs that extol the virtues of Grouply membership are, I suspect, sock puppets. They go by various names, but give the same canned spiel.
Tee said:
Most other places don’t send me obviously fake emails pretending to be people I know. Remarks like “I read all of your posts…” when I haven’t actually posted to a certain group is not someone who’s paying any attention at all. It’s silly and the emails are a waste of space and time if nothing else. How could this be an actual person contacting me? What incentive is there for so-called members to send anything out to try to get new members? Do you pay these people then?
SPAM or promotion??? On the computer there’s often little difference. Facebook was a nightmare for a whole year contacting Mysapce members. At one point I had a dozen Facebook spam mails in one day and nobody stopped them — even though Myspace tried. BUT at least they weren’t pretending to be someone that knows me like Grouply does. If you have a good product or service, you shouldn’t have to make lies to sell it.
PISSED OFF said:
these guys SUCK BALLS.
the invite comes as a SPOOFed address so you cant block.
the “sender” doesnt even know theyre inviting everyone.
so you cant block the invites and grouply’s way of blocking DOESNT WORK.
just like all other SPAMMERS, you CANT opt out.
spam by any other name IS STILL SPAM.
Miss Pick said:
These guys are solid spammers. Anytime I’m getting unsolicited emails from people I don’t know, that is known as spam. There is nothing legit about this company.
Jacko said:
Why is it that the Grouply invites all come in at once. I am a member of quite a few groups and I don’t get one invite, it comes from various sources of yahoo groups at the same time. So once you give the yahoo password, they email every group you have wanting you to join them. If it was an option to send it out, it would be understandable, but when it just does this on its own is outright spamming. The people I have spoken to said they have not sent out any invites, so spamming is the key here.
If I got someones address and sent them lots of rubbish emails, this is spam. Grouply tries to ‘hide’ the fact that it is not spam by using the ‘this person ivited you’ scam line. Someone now has my email address and I am now recieving 300% more spam than before the first invite I recieved.
L P said:
I’m not a member of grouply. However, I’ve gotten an invite from someone. I asked if they sent it, response was NO! They have no idea how it got sent to me. I clicked the link out of curiosity. It wanted my Yahoo ID in order to view the profile. RED FLAG!! I closed window. Sorry I don’t put my passwords into 3rd party sites.
Pissed off in Redondo said:
“GROUPLY” is a down right scam !!! I have played the game with them on the “Request Link” to not receive any more of their bogus invites a minimum of 6 times and I continue to have this crap appear in my box. What the hell people? Those that believe that they are not spamming are smoking crack! I have contacted these so called friends that have sent this crud along and not one was a valid e-mail sent from the owner! How does one stop this nonsense? They are ignoring one’s requests to block their spam or the link is simply another means to verify one’s legit address. I understand that there is currently a legal firm in Los Angeles that is gathering names of those that have been spamed by this bogus crap and will be presenting it to the court system shortly, As soon as I have the information I will post it so that all can get in on the fun of seeing “Grouply” get hung out to dry…They totally deserve harsh penalties for the fraudulent scam they portray.
Rick Pikul said:
The only reason that “We do not SPAM.” is a true claim is that SPAM, (all caps) is a product from Hormel that is allegedly meat. OTOH, Unsolicited Bulk Email and Unsolicited Commercial Email are both types of spam.
Grouply sends email which is both bulk and unsolicited: By definition, this means that they are sending spam. That they trigger the sending of this spam by tricking other people into pressing a “send spam” button does not change this.
Fed up said:
I joined a yahoo group for a sensitive and very private issue (over 2 years ago). Was only in that group for a few months at most. But ever since, I’ve been bombarded with grouply invitations from people claiming to be in the same group with me. The latest happened today (5-3-10). I left the group Apr. 2008. So grouply obviously had to do some sort of data mining or phishing to get hold of my email address, from a supposed private yahoo group and from over 2 years ago!
I know this blog was written more than 2 years ago – and probably no one will read it 😦 – but I’m at a loss and feeling helpless. I’ve searched for articles on this mess but only find very dated ones. Has everyone dropped the ball on this? Or did their execs effectively black out all dissension?
Oh and btw, Andyswarbs is likely on payroll. I’ve seen his comments in support of grouply everywhere I’ve searched for more info – yahoo answers, blogs, etc. A few other names keep popping up too.
Sorry about my venting, but after 2 years I’d expect something to be done about this. I keep reporting the emails to spamcop.net but not sure if they’ve done anything.
Pissed off in Redondo, what is the name of that legal firm?
Registered Against my Will said:
Here’s the thing about me and Grouply, it seems I was AUTOMATICALLY signed up. I have in no way registered, yet I stumbled upon a description of my group in Google (one I’d rather remain private, seeing as it’s an Adult content group). What the heck? It’s like they caught it during the creation stage or something..bastards. >:-(
tanyaross said:
this is one of my most popular posts — it never ceases to amaze me that, more than 2 yrs after my initial post, I still get comments and questions re: Grouply.
apparently not much has changed in that 2 yrs, either — people are still complaining about Grouply activities like spamming and what certainly appears to be data mining. I’ve managed to protect myself and my little groups from Grouply invasion, but it seems others haven’t fared as well.
short of never interacting online w/anybody for anything, I’m not sure how one can completely protect oneself from data mining, other than taking the usual security precautions (specifically protecting login IDs, passwords, etc.).
however, you can help control Grouply’s access by helping group owners out when you’re concerned that a group has been infiltrated by Grouply: send a private email to a group owner letting them know that someone in the group is using Grouply — that will at least give the group owner the opportunity to research group members’ email addresses and protect the group from further violation. I know as a group owner/mod I’d be grateful to anyone who let me know (in a direct, private communication) that someone in our group was using Grouply, so I could then contact the Grouply user to let them know that they are being removed b/c privacy issues re: Grouply, and that they’re welcome to resubscribe with another non-Grouply email.
and in general, whenever you come across anything Grouply-ish, run far, and run fast.
~~T
PJ said:
I searched for grouply, thinking it was a great alternative to ning.com [ning is a ‘create your own social networking site’ website that has now decided to put greed before sense – forcing people to buy premium groups or lose their groups (previously a person could create groups for free) whilst firing loads of staff – which of course means that there won’t be enough support staff for premium groups and the plan will backfire] as I’d seen grouply by accident earlier today.
After googling it again with an intent to sign up, I noticed negative comments about it. Stuck ‘grouply scam’ in google (and that was a google suggestion so clearly other people had googled the same) and found this blog.
Thanks for helping me to avoid joining something that sounds even worse than tagged.com (that website phished, sent viruses, and spammed inboxes but to my knowledge didn’t root through private groups)
mosh said:
phshing? ohh no1!!!!
mlevi2538@gmail.com