Millions of email addresses were leaked to advertising and analytics companies, a security researcher said in a report Wednesday. Clicking links sent by email reportedly caused users of Quibi, Wish, JetBlue, The Washington Post and others to have their email address leaked to companies including Google, Facebook, Pinterest, Criteo, PayPal, Stripe, Twitter and Snapchat.
The links arrived in user inboxes inside account confirmation emails and newsletters, and included “unsubscribe” links in some cases. The user email addresses were transmitted either in plain text or in base64, an easily decoded data formatting tool, according to the report.
The leaks are another example ofhow online advertisers are using their data. When advertisers receive the email address of an online shopper, the possibilities grow for tracking online behavior. That’s because an email is a long-lasting identifier. It can be paired with information about a user’s browser and device, allowing advertisers to learn that anyone coming from that Chrome browser on that Galaxy phone, for example, is associated with a specific email address.
However, it’s not clear from the report how advertisers used customer email addresses, and some companies that leaked email addresses said they didn’t have any indication the information was accessed or abused by their advertising partners.
One of the biggest leaks came from e-commerce site Wish, which the report said “likely leaked hundreds of millions of user emails for over a year.” The company changed its systems in response to the report, according to Wish and the researcher, Zach Edwards. But in an emailed statement, Wish called the report “off the mark,” saying the email addresses were encoded and its marketing affiliates would have had to go through additional steps to access the data. “We have no reason to believe that occurred,” the company said.
New video streaming service, called data security “the highest priority” in a statement. “The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately,” Quibi said.
JetBlue said in a statement it is taking the report seriously. “We will review the researcher’s findings to ensure we are respectful of our customers’ personal information and are in full compliance with the standards we have set.”
The Washington Post said it primarly shared the email data with analytics company Chartbeat.com, which is not an advertiser. “It appears no advertising companies received the base64 user email strings that several of their newsletters append to their unsubscribe links,” the company said in its statement, adding, “as the report also notes, this was a limited issue for The Post and we took immediate steps to resolve it.”
EveryAction and NGP Van, owned by the same company, are also named in the report. In a statement, EveryAction said it appreciates Edwards for bringing the issue to its attention. “We began working with Google and Microsoft to rectify issues around email unsubscribe pages immediately after we were alerted of this concern when the post was published earlier today,” the company said. “Initial fixes went live earlier this afternoon and our team will continue to work on this into the night.”
In a statement, Kong said it believes its use of consumer data follows applicable laws. “However,” the company said, “we are making immediate updates to some of the methods in which these tools are implemented to address the concern raised in the report.”
Other companies listed in the report as leaking user emails were Mandrill and Growing Child. Twitter declined to comment. Mandrill, Growing Child, Google, Facebook, Pinterest, Criteo, PayPal, Stripe and Snapchat didn’t immediately respond to a request for comment.
- Pandemic thriller Utopia on Amazon might be the perfect viewing
- 2021 Jaguar F-Pace refreshed with new styling, luxury and tech
- 2020 Halloween full moon: This year’s spooky spectacle brings a rare twist
- The best minimalist wallet for 2020
- NASA chief calls for prioritizing Venus after surprise find hints at alien life
- YouTube is adding a new Shorts feature to rival TikTok and Instagram Reels
- Paul Rudd, world’s youngest 51-year-old, tells fellow kids to mask up
- Jonathan Majors to join MCU as villain Kang the Conquerer, report says
- TikTok ban won’t prevent employees from being paid, US says in filing