B2B Spam: Strapi, Unstructured and Reo
About a year ago I was rebuilding this blog, moving it from WordPress to … something else. I evaluated several content management systems for that, and one of them was Strapi.
Strapi have a live demo available and ask for an email address for access to it. This is, as you’d expect, part of their sales funnel. It’s done properly, with a checkbox to explicitly opt in to “occasional product and company updates by email”. I gave Strapi a unique email address, one that was used for that one transaction with them and nothing else. They sent me a few emails about the demo, and then added me to their mailing list.
The demo did Not Go Well, so that was my last interaction with Strapi as a potential vendor, and I probably unsubscribed from their marketing mail fairly soon after. The last email I have from them is from mid-October, 2024.
A year and a day later, on October 1st, 2025 I start receiving more email to that unique email address. It’s advertising a company called unstructured.io who seem to be selling an “AI based data extract, transform and load” product, but their website is reminiscent of Geocities in its heyday so I didn’t dig too deep into exactly what they do.
Strapi data breach?
This seems like someone may have compromised Strapis customer database. Maybe sales staff moved to a new company and took a customer list with them, maybe something more interesting. Strapi are, as far as I know, a decent company so I should tell them about it.
I do a few quick checks to make sure that unstructured.io don’t have legitimate access to my information. If Strapi had rebranded to unstructured.io, or been bought by them, or even partnered with them then their use of my email address still might not be entirely legitimate, but it wouldn’t be anything worth chasing down. Nothing.
Strapi have a pretty solid privacy policy and ask for any contact about it to go to privacy@strapi.io, so I send a copy of the unstructured.io spam over to them with a quick “Hey, looks like your customer database has leaked, got this mail from unstructured.io to it, can you take a look?”
Unstructured.io seem like a real company
Unstructured.io make a big deal out of their GDPR compliance.
Let’s send them a data subject access request, and see if they’ll tell me where they acquired my data.
Good afternoon,
I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form.
You can use the domain my domain to identify data that may be associated with this request, and specifically the email address the unique-to-strapi email address.
Cheers, Steve
They get back to me about a week later, with three CSV files and a JSON file with all the information they have associated with me. Given this is the first time I’ve ever heard of them that’s quite a lot.
additional_contact_properties.csv is interesting:
"Name","Value","Updated at"
"Freemail","false","Sep 26, 2025 02:39 AM UTC"
"First Touch Source","Prospecting Reo","Sep 26, 2025 04:39 AM UTC"
"First Touch Channel","Prospecting/Enrichment Tool","Sep 26, 2025 04:39 AM UTC"
"REO: Developer Segment Name","0eac113a-8e89-45f0-b21a-3f4dd317d2aa;834263c0-0b6f-4d97-816a-d2689cbb29f9;6f569200-7f78-415f-a350-3214fbf774fa;580b62d4-8474-4257-8974-bca23657ac5c","Sep 26, 2025 02:39 AM UTC"
"REO: Developer Summary","<ul><li> Docs: Page Views: 1 </li></ul><a href="https://web.reo.dev/dashboard/developers?utm_source=crm-dev&devId=b63b999f-57a1-4318-b852-b86c507c0e31">REO Developer Link</a>","Sep 26, 2025 02:39 AM UTC"
"REO: Last Activity Date NEW","Aug 31, 2025 12:00 AM UTC","Sep 26, 2025 02:39 AM UTC"
"REO: Developer Tags","<ul><li>Blog Visitor Dev</li><li>Reo Dev</li><li>Website Visitor Dev</li><li>Prospect Type : Developer</li></ul>","Sep 26, 2025 02:39 AM UTC"
"Koalify Number of Duplicates","0","Oct 01, 2025 01:58 PM UTC"
"Point of Entry","Prospecting Reo","Sep 26, 2025 04:39 AM UTC"
"Reminders & Automations","1. After meeting with a Contact, please update their Lead Stage to:
- Qualified (makes a Deal)
- Disqualified (not a match for us, and never will be), or
- Recycled (a potential match for us in the future)
2. After each meeting, please update the meeting's outcome on your Sales Workspaces' Schedule tab (this link: https://app.hubspot.com/prospecting/40198703/schedule)","Sep 26, 2025 03:09 AM UTC"
"REO: Activity Score (Numeric)","4.0","Sep 26, 2025 02:39 AM UTC"
Reo.dev?
I get back in touch with unstructured.io and ask them to clarify where they acquired my data.
Their sole supplier is a company called reo.dev.
Reo.dev seem like a lead-gen company
Reo.dev seem to offer services for sales pipelines that want to target software developers by “integrating with developer-centric platforms”. Seems like they scrape public software repositories to gather information about developers. With that data they do things like deanonymize anonymous signups, annotate companies or github handles or IP addresses with PII about the user, that sort of thing.
Judging from their “happy customers” page many of their customers are using reo.dev as a source of data to send spam targeting software developers, just as unstructured.io are.
Sleazy, but salesfolk gonna salesfolk.
Reo.dev make a big deal out of their GDPR compliance.
Let’s send them a data subject access request, and see if they’ll tell me where they acquired my data.
Good afternoon,
I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form. That information would include everything described in Article 15 of the GDPR, but I draw your attention to section 1.g in particular: “where the personal data are not collected from the data subject, any available information as to their source”.
You can use the domain my domain to identify data that may be associated with this request, and specifically the email address the unique-to-strapi email address.
Cheers, Steve
They get back to me about a week later.
Categories of Personal Data
We hold the following information:
Email address: the unique-to-strapi email address
Company name: Word to the Wise
Form fill activity details (first name, last name, timestamp)
Sources:
Strapi Demo Page (https://strapi.io/demo)– Form fill activity recorded on 2024-09-29
(They also say that their purpose of processing is “Enrich Reo’s Prospect Database which could be used by other customers for their marketing and outreach purposes”, so at least they’re honest about what they’re selling the PII for).
Reo.dev say they got my PII from strapi.io, even giving the date and the input form where strapi acquired it. That’s pretty definitive.
Back to strapi.io
All this has taken several weeks and I’ve yet to receive any response from privacy@strapi.io, despite several emails to them (even an entirely plain text, not mentioning any of the domains involved, “Did you receive my previous email” one).
I’ve also sent mail explaining the situation to security@strapi.io, which promises a 72-hour response time. (It’s been over 72 hours; I have not received a response from security@strapi.io).
Strapi.io make a big deal out of their GDPR compliance.
I’ve already sent them a data subject access request ( … I draw your attention to section 1.c in particular: “the recipients or categories of recipient to whom the personal data have been or will be disclosed …” ) but that was sent to privacy@strapi.io, which seems to be somewhere email goes to die.
They do list an explicit contact for GDPR issues in their privacy policy, though:
European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Strapi has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:
Email at privacy@strapi.io, or
Writing to EDPO at Strapi Solutions, 128 rue de la Boétie, 75008 Paris, France
That’s the same email address I’ve not heard anything back from in weeks.
But EDPO are a well-known and respected data protection company, so I reach out to them directly. Maybe there’s a forwarding problem with the privacy@ email address.
Nope. EDPO “were not able to make the link with any of their clients” and have reached out to Strapi to clarify. So it looks like that bit of Strapis privacy policy isn’t exactly accurate.
(Checking their privacy policy just now I see that they’ve also got a “you didn’t pay your Cookiebot bill” message at the bottom, so it looks like it’s pretty much unmaintained).
Strapis general contact page is mostly locked behind a login, but they do suggest reaching out to them on Discord. What the heck, I’ve already wasted several hours on this.
I ask them about their selling customer data to brokers, with a very short form of the data in this post.
After poking some role accounts I get a response from one of Strapis security folks saying that they “100% are not selling any user data” and that their policy for mails to security@ is 72 hours.
I also get a direct message from Strapis CEO, repeating that Strapi does not sell any customer data, and explaining that they didn’t see any of my emails to their support@ or security@ addresses. And that he was prepared to delete my PII from Strapis systems, but made no mention of the folks they’d sold it to.
I responded with a summary of the info in this blog post, but didn’t receive any response.
It’s now two days later, and I’ve not received any response to my data subject access request, nor anything else from privacy@strapi.io. I’ve not received any response from security@strapi.io, not even a “we received your mail and will respond”. Nor have I received any further response via Strapis discord channel.
What now?
I’m pretty sure that what happened is that someone at Strapi with “revenue” or “sales” in their job title gave my PII - and presumably lots of other Strapi customers or prospects PII - to reo.dev, possibly to do “list enrichment” on it to power their sales outreach. Maybe they sold it reo.dev, more likely they bartered it for “something of value”; it doesn’t really matter.
Whether that’s Strapi as a company sharing customer PII with an address broker or an insider data breach really depends on whether Strapi senior management know about the practice, tolerate it or turn a blind eye. It’s one or the other, though.
Reo.dev then sold that PII to unstructured.io to use for outbound cold B2B marketing email (or “other customers marketing and outreach purposes” as their DSA response phrased it.)
Reo.dev said they don’t often do that, and may not have meant to. While they would say that, I tend to believe them.
This is all part of why the amount of annoying, semi-targeted B2B spam keeps going up. Even if the company you give your email address to doesn’t intend to misuse it eventually they’ll share it with a vendor, who’ll share it with customers and the genie is never going back in the bottle.
Strapis handling of this seems chaotic, at best. False statements about their GDPR representative in their privacy policy, non-functional contact addresses for privacy issues and security issues. Senior security and C-suite staff being not just disinterested but dismissive of PII from their customer database being available for sale on the open market.
I’m not really expecting much from them, but I’ll be filing a complaint with the Irish Data Protection Office. We’ll see if a formal notice provokes some action.
How should all this have gone down? I send email to privacy@ going “looks like your customer PII is leaking” and they respond promptly with “ooh, that’s bad. we’ll look into it” and they look into it, and three times in four don’t find anything. That happens every so often, and it’s how real companies deal with this sort of issue.