APITable was sending spam to GitHub users that starred Bitwarden's repository, they don't care about user privacy and you should avoid them.
APITable (apitable.com, https://github.com/apitable) claims itself as an "Airtable alternative" that is "Better than all other Airtable open-source alternatives". source (archive.org)
But I would recommend avoiding them because they were quite shady, especially with how they are advertising themselves.
APITable were scaping email addresses on GitHub from users that starred Bitwarden's code repository then sending unsolicited advertisement that mentions Bitwarden.
Scraping user email on GitHub is clearly a violation of GitHub's TOS by the way:
You may not use the API to download data or Content from GitHub for spamming purposes, including for the purposes of selling GitHub users' personal information, such as to recruiters, headhunters, and job boards.
I might be wrong but there seems to be multiple different variant of the email subject, one of them is Good news for Bitwarden user.
Are you still using Bitwarden?
Well, yes? why do you ask? Is something bad happened to Bitwarden?? security exploits? data leak?? security exploits and data leak??!?
I would like to recommend a very cool and productive product to you...
Oh...
The email I received is sent from [email protected] via MailChamp.
The domain collacloud.com expired on the same day (2022 Dec 7), they did not renew that domain.
They were sending from [email protected] after that.
While the email did grab my attention immediately, I was worried Bitwarden was compromised and leaked data. Based on how other Bitwarden user reacted on reddit, twitter and hackernews, I'm not the only one.
Needless to say, that's a pretty shitty way to advertise your product, looks sketchy AF, especially when...
At the time of them sending out that email, they don't even have their GitHub repository up, so all you get is a static web page (archive.org) with their one line description of "an Airtable alternative" and some obviously fake review. How do you even have user reviews before the product is published?
What you can do is subscribe with your email address to "Stay up to date with APITable's latest developments", but why even subscribe manually when they just put you on the list anyway.
Yes, quote from their tweet in reply to @cppshane:
Hi shane!Sorry for bothering you and @Bitwarden, don't worry, @Bitwarden is safe and they are great, I'm still keeping an eye on them. I was browsing open source products on GitHub and saw that you starred @Bitwarden, and thus saw your email.
Therefore I took the liberty of guessing that you would be interested in open source products, so I sent you an email. We are very grateful to you for bringing this matter to our attention, and we will take it seriously and deal with it accordingly.
We apologize for any inconvenience caused to you and Biwarden, and finally allow me to express my gratitude to you again.
APITable, is the easy answer.
The founder is Kelly Chan and his email address were [email protected] and now [email protected]
So APITable are associated with, or are the same as vikadata.com and vika.cn, another "airtable alternative" website.
To be honest they weren't trying to hide that either, they have reference to vikadata all over their codebase, and a lot of the committers have a @vikadata.com email address. But this wasn't obvious before their GitHub repository was published.
Hong Kong. At least the founder is currently working in Wan Chai District, Hong Kong according to this tweet. In the footer of the email they sent there's also this line: APITable · CO CAO 1312 17TH ST#692DENVERCO · Hong Kong 802020 · Singapore, but I can't figure out what does that mean.
Maybe also ShenZhen. According to the Chinese ICP license for the domain vika.cn, the legal entity behind that is 深圳维格云科技有限公司 and it's registered in a industrial park in the FuTian district of ShenZhen (深圳市福田区梅林街道梅都社区中康路136号深圳新一代产业园1栋404). ICP License: 粤ICP备19106018号, 公安 no.: 44030402004286. The company is registered on 2019 July 12.
Probably not in Singapore. They have an entity registered in Singapore: APITABLE PTE. LTD., address: 73 UPPER PAYA LEBAR ROAD #06-01C CENTRO BIANCO SINGAPORE (534818) but it looks like a shell corporation to me. The company is registered on 2021 March 18.
Canada? The Github organization "APITable" were showing "Canada" as org location for a while, and in their TOS they are using APITable Ltd., 63 Forty Second St, Unionville Toronto, ON, Canada, L3P 7K3 as their legal entity, but I doubt there's a real employee working in Canada. The location is a single-family home in a residential area according to Google Maps. The company is registered on 2022 November 17.
apitable.com- MX record points to "feishu" (
mx[123].feishu.cn), an enterprise collaboration platform in China
- MX record points to "feishu" (
vikadata.com- Associated with the Shenzhen company (ICP license)
- MX record points to "feishu"
vika.cn- Associated with the Shenzhen company (ICP license)
- No MX record
vika.ltd- Associated with the Shenzhen company (ICP license)
- MX record points to
mxhichina.com, aka Aliyun
collacloud.comnotify.collacloud.comwas used to send spam via MailChamp before expiring on 2022 Dec 7.
milliontable.com- Was used to send spam via MailChamp
- MX record points to "feishu"
All of them are registered on Aliyun.
- https://shaneduffy.io/blog/shady-marketing-apitable-is-scraping-emails-from-github-stars
- https://news.ycombinator.com/item?id=34127804
- https://www.reddit.com/r/Bitwarden/comments/zeqpd6/is_bitwarden_leaking_email_addresses_i_got_an/
- https://www.reddit.com/r/Bitwarden/comments/zq1esd/anyone_else_getting_mails_from_a_random_company/
Thanks for digging into this more, I really hope this doesn't start becoming a popular marketing tactic...