Millions of email addresses were leaked to advertising and analytics companies, a security researcher said in a report Wednesday. Clicking links sent by email reportedly caused users of Quibi, Wish, JetBlue, The Washington Post and others to have their email address leaked to companies including Google, Facebook, Pinterest, Criteo, PayPal, Stripe, Twitter and Snapchat.
The links arrived in user inboxes inside account confirmation emails and newsletters, and included “unsubscribe” links in some cases. The user email addresses were transmitted either in plain text or in base64, an easily decoded data formatting tool.
The leaks are another example ofhow online advertisers are using their data. When advertisers receive the email address of an online shopper, the possibilities grow for tracking online behavior. That’s because an email is a long-lasting identifier. It can be paired with information about a user’s browser and device, allowing advertisers to learn that anyone coming from that Chrome browser on that Galaxy phone, for example, is associated with a specific email address.
However, it’s not clear from the report how advertisers used customer email addresses, and some companies that leaked email addresses said they didn’t have any indication the information was accessed or abused by their advertising partners.
One of the biggest leaks came from e-commerce site Wish, which the report said “likely leaked hundreds of millions of user emails for over a year.” The company changed its systems in response to the report, according to Wish and the researcher, Zach Edwards. But in an emailed statement, Wish called the report “off the mark,” saying the email addresses were encoded and its marketing affiliates would have had to go through additional steps to access the data. “We have no reason to believe that occurred,” the company said.
New video streaming service, called data security “the highest priority” in a statement. “The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately,” Quibi said.
JetBlue said in a statement it is taking the report seriously. “We will review the researcher’s findings to ensure we are respectful of our customers’ personal information and are in full compliance with the standards we have set.”
The Washington Post said it primarly shared the email data with analytics company Chartbeat.com, which is not an advertiser. “It appears no advertising companies received the base64 user email strings that several of their newsletters append to their unsubscribe links,” the company said in its statement, adding, “as the report also notes, this was a limited issue for The Post and we took immediate steps to resolve it.”
EveryAction and NGP Van, owned by the same company, are also named in the report. In a statement, EveryAction said it appreciates Edwards for bringing the issue to its attention. “We began working with Google and Microsoft to rectify issues around email unsubscribe pages immediately after we were alerted of this concern when the post was published earlier today,” the company said. “Initial fixes went live earlier this afternoon and our team will continue to work on this into the night.”
Other companies listed in the report as leaking user emails were Mandrill, Growing Child and Kong. Mandrill, Growing Child, Kong, Google, Facebook, Pinterest, Criteo, PayPal, Stripe, Twitter and Snapchat didn’t immediately respond to a request for comment.