Asana is leaking personal info when I try to invite people based on email addresses. I want to use Asana with a friend for personal purposes. I have registered with a @disroot.org email address and I were added to an Orgazniation called disroot.org. If I go to the invite dialog and start typing I can see a bunch of random people’s full name, profile picture and email address.
This shouldn’t be visible to me or others. This also keeps me from giving my full name because I don’t want others to see.
Please correct me if I don’t understand something here. Thank you.
This is expected behaviour in the sense that you are seen as an employee/member of this org. If you sign up with an apple.com email, you are added to the Apple org.
However, if you sign in with a Gmail, you don’t endue with Google employees but Asana flagged it as an email provider. Is disroot an email provider?
@Bastien_Siebman is right, this is an expected behaviour - no data was leaked there.
From what I can see, someone in your Organization (disroot.org) created an account with their @disroot.org email address back in Nov 2018 and with that generated a “disroot.org” Org in Asana. You can learn more about creating Orgs in Asana here.
When you created your Asana account with your @disroot.org email, you automatically joined this disroot.org Org in Asana. This is why you can see other @disroot.org folks in the Org.
If you’re looking to use Asana with a friend privately, I recommend you use a Workspace instead of an organisation. To learn how to create a Workspace, check out this article from our guide.
Disroot is an email (and other cloud) service like gmail.com or hotmail.com, but apparently not recognized as such by Asana. The request is to treat Disroot similarly to how Asana treats gmail.com. I think this should be marked as unsolved and escalated. The poster didn’t join the Disroot.org organization; just signed up to create an email account.
Thanks. My personal case got halfway solved now by using a Workspace. Other half will be when disroot.org is added to list as said above.
Tbh, I think this is a UX design flaw. Asana shouldn’t assume that an email address of unknown domain belongs to a private organization. One solution could be that I can leave or decide to not join that Organization that already exists with that domain name.
Secondly, what if I do have a company that provides email on its domain for every employee but I don’t want all employees to use Asana and see each others’ email addresses and full name? Suppose the company does use Asana and does have an Organization set up and all employees have their names in their profiles. Now if another employee who is not supposed to use Asana registers can see all their names.
Just circling back here to let you know we deleted the [disroot.org](http://disroot.org/ and blacklisted this domain, so going forward nobody can create an Organisation in Asana with this domain. Thanks again for the report, we really appreciate it!
Just to clarify for others reading, I don’t think “blacklisting” here means anything negative; just that Asana has started correctly treating this domain as an email service.
That’s just the terminology we use internally. Apologies if that created any confusion!