How Your Contact Info from LinkedIn and Email Gets Sold for $0.2~$0.8 a Piece

“B2B Contact Database” and “AI SDR/BDR” companies use your connections as data contributors and make browser extensions to parse and profit from your personal contact information.

TL;DR:

• Your connections may be unknowingly leaking your contact information.
• B2B contact database companies are capitalizing on this loophole, amassing fortunes from vast gold mines of hundreds of millions of contacts.
• Currently, there are no regulations in place to protect your data from being sold without your consent.
• We propose to implement robots.txt for emails and urge LinkedIn to introduce a “Do Not Sell My Info” checkbox in the Contacts Info section.

Table of Content:

Selling your Contact Info is Big Business

Your Email Signature and Vacation Responders: A Gold Mine for Personal Contacts

How: The So-called Free Extensions That YOU Did NOT Install

Don’t Even Show Your Contact Info on LinkedIn

The Contacts Gold Mine and the Rich Get Richer

How Much Your Contacts Are Sold For

The Privacy Policy and the Law: How They Are Gamed

Be Cautious with All the AI SDR and BDR companies

A Possible Solution: robots.txt for Emails and LinkedIn

Imagine someone recording your phone call without your consent. It's illegal in most places. Now, imagine someone extracting your personal information from your written communications and selling it. Outrageous, right?

One day, I received a call from a CPA trying to reach a startup called Defined AI (“Defined” for short). Instead, she reached me, not Defined. She mentioned she got Defined’s number from Pitchbook. Curious, I submitted a ticket to Pitchbook to correct the error and moved on.

But the calls didn’t stop. I kept getting inquiries meant for Defined. Puzzled, I searched for Defined’s phone number online and found multiple sites listing my personal number as Defined’s HQ number. Take this site for example:

(all screenshots in this article were taken on 11/4/2024)

This experience took me back to my early days of uncovering the secrets behind these “B2B Contact Database” companies. Google Gemini gives a list of top B2B contact database companies. They often carry different names depending on the use case, such as “Lead Generation Tools”, “Sales Intelligence Platforms”, “Contact Data Providers”, “Prospecting Tools”, “CRM Data Enrichment Tools”.

Some of these companies, if not all, are harvesting your personal data for their gain. Lots of them are fueled with venture capitalists’ money to grow and scale faster.

Selling your Contact Info is Big Business

Let's stick with Defined as our example.

The following B2B contact provider boasts having 185 employees’ contacts from Defined:

The following B2B contact provider goes a step further, even showing their employees’ mobile phones:

Some B2B Contacts companies proudly advertise that they can “find contact info for anyone,” like this one with a whopping 1.3 billion PLUS contacts:

Among these, the most valuable pieces of information are phone numbers and emails—some business, some personal. They’re gold for cold outreach campaigns. Many people use their personal phones as their “business” phones, which leads to these numbers being mixed into business contact databases.

So, how do these companies get your personal contact information?

Your Email Signature and Vacation Responders: A Gold Mine for Personal Contacts

The secret lies in your email signature and your “I’m on vacation” auto-replies. Here is an example:

Even if you don’t include your mobile phone number in your email signature, vacation auto-replies often do:

Sometimes, people even include their boss’s email in their vacation responder. So, if you email their boss on December 27, you might get an auto-reply with their phone number too.

Ever accidentally used your personal email (like Gmail, outlook.com, or yahoo.com) to reply to a company email? Congratulations, your personal email is now in the wild too.

You might be thinking: aren’t these one-to-one emails protected by the recipient company's IT department? How do these phone numbers end up in the “B2B Contacts” databases?

How: The So-called Free Extensions That YOU Did NOT Install

It's all about those free browser extensions offered by B2B contact database companies. There are just so many of them:

Some of these extensions work by parsing your email, especially the signature field, to extract contact information, which they then save into their database.

You might think these tools are handy productivity boosters, but they secretly monitor everything going in and out of your email. Here’s a screenshot from a tutorial of such an email extension:

They can easily reveal someone’s LinkedIn phone number even if you are not connected with them (as long as you are a paid user of the tool):

All these tools are free to install because they aim to:

1. Trick or attract you into using their tools and becoming a paid user later.
2. Scrape your contacts’ information in exchange for providing the tool for free.

That’s why some companies even offer to “clean your email list” for free:

No free lunch, right? You're just trading your connections’ contact information for this free email tool.

“But I didn’t install these extensions – I never used them!”

It doesn't matter. As long as one of the people you email uses one of these extensions, your contact info is scraped and saved into the B2B contact databases. Most business people email hundreds, if not thousands, of people. If just one of them uses these extensions, your contact info is captured.

The problem might not be you; it might be your connections you have no control of. You might have protected your personal info tightly, but your connections might not.

Don’t Even Show Your Contact Info on LinkedIn

You might wonder:?

“If you don’t know me on LinkedIn, how do you get my phone number or email?”

Well, it’s simple. One of your connections might have used these browser extensions. They can see your Contact Info on LinkedIn, which gets saved to a contacts database. Once it’s in the database, other people can access it — as long as they are willing to pay.

It’s reminiscent of the early days of the internet when some “WiFi password” managers shared all saved WiFi passwords with their users. Imagine your nephew saved your home’s WiFi to his password manager, and then one day, your husband’s boss visits your house for the first time, and your husband found his boss’s phone automatically connected to your WiFi. It’s unsettling, right?

If a salesperson uses such a tool, they can indirectly get your phone number and start calling you after emailing. Worse, they might put you on an auto dialer until they qualify or disqualify you as a potential buyer.

The professional and credible network built by LinkedIn is being undermined by these scrapers and extensions. It’s not LinkedIn selling your info; it’s the companies that sell B2B contact databases and automation tools.

The Contacts Gold Mine and the Rich Get Richer

Once installed, the free browser extensions offered by these companies have access to four key pieces of data:

1. Your LinkedIn profile – they can see your contact info.
2. Your Connections’ profiles – when you see a connection’s phone number, they see it too.
3. Your received emails – when you see your connections’ signature fields or vacation responders, they see and parse them.
4. Your CRM – where you save accurate contact info to share with your team, which they access if you enable two-way synchronization.

Even if you don’t use these tools, your connections might. These contact gold mines are being mined without your knowledge, let alone consent. The contact data ended up in the B2B Contact Databases is called “User Contributed Data”. In one blog post, it is stated that once a user imports contacts or syncs their CRM, “[company name] gains access to a wealth of up-to-date information”.

The users of these B2B contact databases products are called data contributors. There are so far 2 million of them that construct this company's living data network:

This creates a Matthew effect of accumulated advantage—the more users use them, the more contacts they mine, and the more new users they attract. Essentially, the rich get richer.

For example, one company claims that their “database is the most expansive on the market” (source):

They even compare 10 such “B2B database companies” and cite each company’s number of contacts:

Numerous other B2B contact databases don’t even make the list.

What about the newcomers who want to get rich? They are late to the game but might be backed by big VC money or operate with questionable ethics. No one regulates them, and there’s no guarantee they conduct honest and transparent business.

Some companies are so transparent that they don’t mask personal phone numbers on the web to attract more free users, hoping to win the competition.

That’s how my personal phone number ended up on the internet without masking. Any scraper can grab it and add it to their own database. That’s probably how it ended up on Pitchbook.

How Much Your Contacts Are Sold For

Companies like this one sell your contact info at $79 per month for 1,200 mobile credits a year:

That’s roughly $0.79 per mobile number. Your mobile contact can be sold multiple times to different subscribers. So if you are in a hot business position, with hundreds of salespeople wanting to reach you, your contact is worth multiples of $0.79.

Most other companies do not disclose their pricing information unless you contact their sales team. Here’s another one whose price ranges from $0.60 per credit down to $0.20 (source):

Frankly, buying someone’s contacts for $0.79 to $0.20 a piece is dirt cheap for salespeople. When you multiply this by the hundreds of millions of contacts, each transacted hundreds of times, the revenue for these B2B Contact Database companies becomes substantial. They are sitting on a gold mine that will never run out.

The Privacy Policy and the Law: How They Are Gamed

Some companies explicitly say that they collect these contact info automatically, such as this one:

and this one:

Here’s the tricky part:

They collect personal data from you, but the personal data might not be yours.

The personal data can be all your connections’ personal data.

Even if you don’t use these services, as long as your connections use these services, they might leak your personal data to various databases.

But did you give your consent? No. The service provider would say: you never used our service, so we do not need your consent. But did they collect your personal data? Yes. Just from your connections, not directly from you.

The B2B contact database companies collect your personal data from your connections without your consent.

or put it another way:

The B2B contact database companies collect your connections' personal data from you with only your consent.

That’s the loophole being exploited by the B2B contact database companies.

Is there potential of violating GDPR? Coming back to the example of Defined -- most of their employees are in Portugal, so they are EU residents. There's a high chance that the 100+ "mobile numbers" boasted by the B2B databases are personal numbers saved to databases outside of the EU without consent -- then it'll be a big violation of GDPR.

Be Cautious with All the AI SDR and BDR companies

Driving through California, I’ve started to notice an increasing number of billboards from AI SDR (Sales Development Representative) and AI BDR (Business Development Representative) companies:

These ads give me goosebumps. Why? Because I don’t know how they are collecting my personal data and using it to sell products to me. Even worse, I realize that even if I don’t use their services, someone in my connections might. This means my personal data could be leaked simply because a connection saw one of these expensive advertisements.

There is no way to stop my connections from using these services, and that’s where the problem lies.

The rise of AI has enabled new scenarios where AI can replace humans in cold emailing and cold calling you, giving birth to the so-called “AI BDR” or “AI SDR”. These AI workhorses never stop, and what do they need the most to kick start your business?

Your contact info and your connections’ contact info.

A Possible Solution: robots.txt for Emails and LinkedIn

Before the rise of Large Language Models (LLM) for vision, obfuscation was a clever tactic to confuse web crawlers from reading your contact data. Here are a few classic examples:

• Email: name[at]domain[dot]com
• Phone: 123-456-789[zero]

You could even take the extra step of making your signature field an image. However, that comes with its own drawbacks: images can’t embed multiple clickable links, and it’s often a challenge for humans to copy the information accurately.

But let’s be real—today, it’s a piece of cake for a savvy email parser to recognize contact details from an image. Any sophisticated tool could crack your clever image signature with ease.

So, here’s a thought: why not implement a robots.txt standard for emails to keep those pesky robots from parsing all or part of your email?

robots.txt is a widely recognized protocol that tells web crawlers what they can and cannot access on a website. The following rule essentially says, “Hey, no robots allowed!”:

User-agent: *
Disallow: /        

Emails, constructed from plain text or HTML, could adopt a similar approach. For instance, you could include a meta tag like this to allow all robots to access everything in the email:

<meta name="robots.txt" content="User-agent: ; Allow: ">        

On the flip side, if you want to keep them out, you could say:

<meta name="robots.txt" content="User-agent: ; Disallow: ">        

For a more targeted approach, here’s how you can tell those robots to steer clear of your Personal Identifiable Information (PII) like your email and phone number:

<meta name="robots.txt" content="User-agent: *; Disallow: PII">        

This way, you can still allow parsing of other relevant parts of your email—like your meeting date for Google Calendar.

Now, let’s talk about LinkedIn.

I propose that LinkedIn adds a “Do Not Sell My Info” checkbox in the “Contact Info” popup, making it the default for all users. All web crawlers and B2B database software should honor this rule:

Until these suggestions become standard rules or taken consideration into law, it’s challenging to keep your contact info from being mined and sold. Here are a few practical tips to safeguard your privacy:

1. Avoid putting personal phone numbers in your email signature and vacation responders.
2. Keep your personal phone number and email address off your LinkedIn profile.
3. Steer clear of free browser extensions that might give you access to other people's contacts.

Some B2B contact database companies have found and exploited this loophole, turning themselves into public or even unicorn companies. Now that you know the score, keep a watchful eye on your connections. Your personal information could be getting sold by those who may not fully understand the implications of disclosing your contact details.

Finally, what can you do today and right now?

To save yourself from being on the receiving end of these unsolicited outreach efforts, please avoid putting your personal information, especially your phone number, in the Contact Info section of your LinkedIn profile. Here’s a direct link to LinkedIn to turn this off.