Woman using mobile with flying email icons showing the email data leak that is feeding information to advertising and analytics companies

Email Data Leak Found to Be Feeding Information to Advertising and Analytics Companies

A widespread email data leak is forwarding addresses in plain text to a variety of advertising and analytics companies, without end users being aware of what is happening. This leak occurs when users sign up for, unsubscribe from, or click on marketing emails from popular online services: MailChimp, Quibi, Wish, JetBlue and the Washington Post among the bigger names. The user’s email address winds up being forwarded to marketing programs run by Google, Facebook, Microsoft and Twitter among others.

URL query string email data leak: How it works

Various websites are configured in such a way that when a user signs up or unsubscribes from them, the user’s email is included in a plain text URL that is passed on through the company’s marketing system. Unfortunately, depending on how the company’s marketing analytics software is configured, that plain text email might escape from them and be forwarded on to major advertising and analytics companies that they have relationships with. This can also happen with special URLs sent to existing customers for promotions and offers.

This is an individualized phenomenon, so it is a rather random distribution of websites that are subject to this email data leak. The leak was discovered by security researcher Zach Edwards, who self-published it in a Medium article. Edwards claims that “numerous organizations” have the email data leak present in their customer management processes; a partial list of the popular websites he names includes:

  • Mailchimp
  • Wish.com
  • JetBlue
  • Quibi
  • The Washington Post
  • NGP VAN
  • KongHQ
  • EveryAction
  • Growing Child Magazine

And who is receiving these unencrypted email addresses? There isn’t much point to making a list; suffice to say that they could potentially be going to nearly every big name among advertising and analytics companies. It all depends on how each individual website is configured and who the advertising partners are.

The email data leak centers on the use of JavaScript during signup and unsubscribe processes, and in marketing emails with special links in the body. These advertising and analytics companies sometimes have code present on partner web pages that transfer a variety of visitor metadata, potentially to include URL query strings and parameters. A web browser may or may not prevent a plain text email address in a URL from being forwarded; if it does not, the advertising partner has it. The advertising partner generally gets the email address from a “thank you” or confirmation page URL that the user is passed on to. In the case of marketing emails, when the customer follows the promotional link their email address is added to the URL when they click through it.

However, even an obscured email address is not necessarily safe. Many of these sites use base64 encoding to screen out the email address in these situations; however, base64 is not a form of encryption and is relatively trivial to decode. The advertising and analytics companies are thus either receiving a plain text email address, or one that can easily be decoded if they choose to.

Are the email leaks to the advertising and analytics companies intentional?

Edwards believes that intent is another case-by-case situation, and James McQuiggan (Security Awareness Advocate for KnowBe4) agrees: “This activity demonstrates that organizations may not be vetting all third-party plugins or code within their website. It’s evident that one of these organizations realized the error, and it was not their intent to share the emails with other marketing organizations. In contrast, another one of these organizations is confident they’re not sharing information, when in fact they are, which leads to the issue that they don’t have a full understanding of the code on their website.”

Some companies appeared to not be aware of the email data leak and moved quickly to patch it up once notified. Others have acted in a more questionable way.

Edwards characterized Mailchimp, Wish.com and The Washington Post as the only organizations that took the email data leak seriously once notified, communicating and taking actions to remediate it almost immediately.

Others have had dismissive responses. Edwards singles out JetBlue here, who have apparently been notified of this since March but have yet to make any changes. And Edwards believes some companies, most notably the up-and-coming streaming service Quibi, have not only been aware of the email data breach for some time but have actively made use of it as a selling point and “growth hack.”

One major problem with these email data leaks is that it is virtually impossible to account for all of the services that are impacted — any website that has marketing partners among the advertising and analytics companies could be leaking this information. It is also very difficult to know if any site has done this in the past, and if so for how long. End users can protect themselves by blocking unknown third-party servers and/or JavaScript, but at the cost of potentially losing functionality or being unable to take advantage of promotional email offers.

These numerous email data breaches could present a major legal problem for the impacted companies. Email addresses are considered protected personal information under privacy laws such as the GDPR and CCPA, meaning that these breaches could be finable offenses. Edwards believes that any organizations that have been leaking user emails should post a list of all of their partner advertising and analytics companies while the breach was active, but it is unlikely any will do this willingly.

 

Senior Correspondent at CPO Magazine