Talkspace threatened to sue a security researcher over bug report


A security researcher said he was forced to take down a blog post describing an apparent bug in Talkspace’s website that gave him a year’s subscription for free, after the company rejected his findings and sent the researcher a legal threat.
John Jackson said he was able to sign up to Talkspace, a popular therapy app, as if he were an employee at one of the companies whose health insurance plans covers Talkspace’s services. Some of these sign-up links are found in Google search results, some of which aren’t advertised on the company’s website.
But Jackson said he found little to no evidence that the sign-up page verifies that a user is eligible for the free year-long subscription.
Jackson tested his theory by creating an account. A month later, the account is still active, he said.
Talkspace does not offer a way for security researchers to submit bugs. With help from TechCrunch, the researcher contacted Talkspace to warn of the potential bug, fearing that malicious hackers or users could be abusing the system and claiming free therapy. But the company rejected the claims, telling Jackson that it has “multiple internal processes in place to protect against abuses,” without providing specifics.
Within hours of Jackson publishing his findings on his blog — which TechCrunch has seen — Talkspace sent Jackson a cease and desist letter, accusing the researcher of defaming Talkspace “by broadcasting untruths” in his blog post.
“In no instance would Talkspace charge an enterprise partner or a health plan for services rendered to a user not deemed eligible by that partner,” said the letter, signed and sent by Talkspace general counsel John Reilly.
“This letter is formal notice to cease and desist, as well as immediately retract such statements with clarification to your blatant and damaging misstatements,” said the letter. “Failure to do so will result in further and immediate legal action.”
When reached, Talkspace would not say on the record what its anti-fraud mechanisms are, or if or how many fraudulent incidents it has discovered, only that the sign-up program is “designed in collaboration with each partner based upon their individual objectives,” said Gil Margolin, Talkspace’s chief technical officer.
We’ve published the cease and desist letter. The letter did not address the technical claims made by Jackson in his blog post.
When reached, Talkspace spokesperson JoAnna Di Tullio deferred comment to Reilly, who repeated the claims from his letter, that the company is “well aware of how we structure our employer relationships and secure eligibility for our services,” and described Jackson’s blog post as “pure defamation” and “utterly untrue.”
Jackson’s case is just the latest example of security researchers facing legal threats for their work. Months ago, aerospace security researcher Chris Kubecka said she was threatened by Boeing after finding a security issue on a plane. Two security researchers were also prosecuted last year amid claims they overstepped the limits of their penetration test at an Iowa courthouse. The case was later dropped.
Many companies nowadays embrace security researchers by offering bug reporting programs, which reward or pay researchers for finding security flaws and other bugs that could otherwise go unreported and exploited by malicious hackers.
Other companies, like Dropbox, Mozilla and Tesla, go further by offering “safe harbor” provisions by promising not to take legal action against researchers who act in good faith.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.
A security researcher said he was forced to take down a blog post describing an apparent bug in Talkspace’s website that gave him a year’s subscription for free, after the company rejected his findings and sent the researcher a legal threat. John Jackson said he was able to sign up…
Recent Posts
- Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
- Your Earbuds Are Gross. Here’s How to Clean Them Properly
- This smart video lock unlocks with a wave of your hand
- Clues in Windows 11 suggest Microsoft has a nifty plan to help you move all your stuff from an old PC to a new computer more easily and conveniently
- NetEase Games has issued a statement on Marvel Rivals layoffs, citing ‘organizational reasons’
Archives
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011
- August 2010