Blind

   +-----------------------------------+
   |  TEAMBLIND, INC.                  |
   |  Founded:   2013 (Seoul)          |
   |  US launch: 2015                  |
   |  Funding:   $16M+ disclosed       |
   |  Users:     7M+ verified          |
   |  Companies: 300,000+              |
   |  Model:     Anonymous + verified  |
   |  Parent:    Independent           |
   |  HQ:        San Francisco / Seoul |
   +-----------------------------------+

Blind is interesting because it's the only platform in this audit whose entire value proposition depends on privacy. It is explicitly designed to let you talk about your employer without your employer knowing it's you. The architecture to achieve that is novel. The track record for it is mostly good, with one significant asterisk.

section_01 — what is collected

The design in plain English

To participate on Blind (post, comment, DM), you verify with a work email address. The platform says — and has patented the underlying infrastructure around — a two-way encrypted verification flow that lets Blind confirm you work at a company without persistently storing the email address or linking it to your account.

Once verified, you pick a display handle, and that handle is what appears on posts. The platform does not ask for your real name. It does not ask for your phone. It does not ask for your profile photo. The only things technically tied to your account are: the handle you chose, your company channel, and your posts / comments / DMs.

   ┌────────────────────────────────────────────────────────────────────┐
   │                  BLIND VERIFICATION FLOW (INTENDED)                │
   ├────────────────────────────────────────────────────────────────────┤
   │                                                                    │
   │   [ [email protected] ]                                        │
   │            │                                                       │
   │            │  ① one-time verification code                         │
   │            ▼                                                       │
   │   [ BLIND VERIFIER (ephemeral) ]                                   │
   │            │                                                       │
   │            │  ② emits: "this user is a verified Company employee"  │
   │            ▼                                                       │
   │   [ BLIND ACCOUNT DB ]  ← random handle · no email on record       │
   │            │                                                       │
   │            ▼                                                       │
   │   [ POSTS · DMS · COMMENTS ]  ← linked to handle, not to person    │
   │                                                                    │
   │   ✘  email never stored long-term                                  │
   │   ✘  real name never requested                                     │
   │   ✘  IP not linked to post-content per stated policy               │
   │                                                                    │
   └────────────────────────────────────────────────────────────────────┘

fig_03 — Blind's described architecture

What that still leaves collected

Company affiliation

The email domain of the company where you work. This is on your account by design.

Posts & comments

Everything you publish stays on the platform. Anonymity is pseudonymous — same handle, same conversation history.

Direct messages

DMs are stored on Blind's servers. They are not end-to-end encrypted (per their documentation as of last audit).

Device / IP

Logged at session level. Blind states these are not linked to post content in internal analytics.

Jailbroken devices

Actively blocked — the app refuses to run on rooted Android or jailbroken iOS for security reasons.

section_02 — who sees it

Access tiers

Other verified employees of your company — see your posts in the private company channel (requires 30+ signups from that company for channel to unlock)
All Blind users — see your posts on public feeds (industry channels, tech, compensation discussion, etc.)
Your employer — does not see your account or activity unless you leak identifying details in your own posts (which happens often)
Blind (internal) — access to content for moderation, analytics, and the newer HR-analytics products they sell to employers
Employers who purchase HR surveys — get aggregated sentiment data, never individual posts linked to names
Governments / lawful access — standard subpoena regime applies; because emails aren't stored long-term the de-anonymization surface is reduced

The realistic anonymity model

Blind's cryptographic design is genuinely better than most anonymous forums. But cryptography doesn't protect you from yourself. Most Blind de-anonymizations happen because:

The user mentions unique personal details in posts ("I'm the only L6 in our Zurich office who…")
The user's writing style or specific complaints are recognizable to colleagues
The user names coworkers, dates of events, or specific project codenames
Screenshots of Blind posts circulate internally at the affected company — and someone figures out who posted

If your goal is to post about your employer and have it not be traceable back to you, Blind's infrastructure gets you 80% of the way. Posting hygiene has to cover the other 20%.

section_03 — history

The 2018 incident

In December 2018, TechCrunch reported that Blind had left a database server exposed without a password for an unknown period. The server contained user login records, posts, comments, and unencrypted private direct messages, plus user account access tokens. Email addresses were not in the exposed portion of the database — so the core anonymity claim around emails held up — but content that users believed was private became accessible to anyone who knew where to look.

Blind addressed the exposure after disclosure and no evidence of malicious harvesting was publicly reported. Nonetheless, for a platform whose selling point is privacy, any server left accessible without a password is a serious operational failure. It's why this audit gives Blind a 4/10 risk score rather than a lower one, despite the strong architectural design.

Other notable points

Some companies actively block Blind sign-up emails on their mail servers to prevent employees from joining. This is usually discovered through indirect signals.
Blind has expanded beyond discussion into compensation-data and HR-insights products sold to companies — a revenue stream that increases institutional incentive to maintain detailed analytics.
User reports of toxic behavior and missing moderation controls are common in app-store reviews. Not a privacy issue per se, but shapes what participating on the platform is actually like.

section_04 — what to do

If you use Blind

Do not use the same display handle as anywhere else on the internet. Treat it as a fresh identity.
Never mention specific dates, project names, or coworker names in posts.
Write in a style distinct from your Slack / email / public writing if you're genuinely concerned.
Assume DMs are on-server and non-E2EE. Don't send anything you wouldn't want read by someone with backend access.
Don't cross-reference posts elsewhere — e.g., don't reply to "here's a Blind post by someone at $company" on a public site with confirming details.
If you want to post about an incident that's going to get company-level attention, post from outside work hours and outside your work network.

Risk score: 4/10

7M+ verified users Patented anonymity architecture No real-name requirement 2018 server exposure DMs not end-to-end encrypted Jailbreak/root blocked Company affiliation visible

Blind is the best technical approach to professional anonymity available at this scale. Its architecture is meaningfully different from just "make a fake LinkedIn." The 2018 exposure is a reminder that architecture is only as good as operations. Use it if you need to discuss compensation, culture, or grievances without employer blowback — but remember that cryptographic anonymity can't protect you from identifying yourself through what you say.

← audit_linkedin next: audit_xing → full matrix report