We recently discovered that a small number of users deviated from our instructions when setting up Brave Sync. These users mistakenly used the sample codes (formerly shown on our help page) instead of their own private, unique codes to set up Brave Sync. As a result, they inadvertently synced their data with one another’s devices. Depending on the user’s choices, the synced data could have included email addresses, usernames, passwords, bookmarks, browsing history, mailing addresses and phone numbers. Based on our analysis, we believe that fewer than 100 users were affected by this issue for whom the synced data included identifiable details, such as email addresses.
Upon discovering the issue, we took the following steps:
- Notified the affected users.
- Disabled the affected sync accounts and deleted all of their synced data from our internal servers.
- Reached out to a number of platforms, the passwords for which may have been synced by affected users, and requested that they reset any compromised passwords.
- Directed affected users to change all passwords associated with accounts that they synced in Brave.
- Provided instructions on how to restart Brave Sync with a new account and delete locally stored sync data.
and made the following product changes:
- Replaced the sample QR codes with non-functional ones.
- Added a prompt reminding users not to use someone else’s QR code.
- Added an expiry to the QR codes so that they cannot be used for too long.
- Added a limit to the number of devices that can be part of a Sync chain.
Although this issue affected the personal information of a very small number of users, we believe in transparency and wanted to inform our community that we took action in response to this issue.
If you have any questions you may contact Brave’s data protection officer, Pat Walshe, by emailing firstname.lastname@example.org.