WordPress VIP and Apollo.io Data Leak: How Personal Data Flows Through the Shadow Economy
Security researcher Terence Eden discovered that his personal phone number had been obtained by the data brokerage firm Apollo.io, which attributed the source to Parsely, Inc. (wpvip.com) — a WordPress VIP company. The case reveals how personal data flows through a shadow economy of data brokers with minimal consent or transparency.
The Discovery
Eden found his personal details being distributed by Apollo.io. When asked about the source, Apollo stated: "Your phone number came from Parsely, Inc (wpvip.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform."
The problem: Eden had never done business with Parsely and had no reason to expect them to have his phone number, let alone share it with third parties.
The Data Trail
Parsely became part of WordPress VIP (Automattic) in 2021. When Eden contacted WordPress VIP about the GDPR violation, their investigation revealed:
- The contact information was obtained from a meeting Eden had with WPScan (another Automattic company) around August 2022
- WordPress VIP denied any relationship with Apollo.io
- They denied selling or providing the information to third parties
- Eden has no memory of such a meeting and no record of it
The Bigger Problem
Even if the data originated from a business card or email signature, the chain of custody raises serious questions:
- Consent erosion — Personal data shared in one context migrates to completely unrelated uses
- Data broker opacity — The path from original source to final distribution is invisible to the data subject
- GDPR limitations — Despite regulatory frameworks, practical enforcement remains extremely difficult
- Corporate accountability — Companies can plausibly deny responsibility while data continues to flow
Eden's Take
"I don't care any more. I'm just so tired of shitty companies treating personal data as a commodity to be traded, sold, repackaged, and abused."
The case illustrates a fundamental tension in the modern data economy: the technical ability to aggregate and share personal information vastly outpaces the legal and ethical frameworks designed to control it.