A widespread email data leak is forwarding addresses in plain text to a variety of advertising and analytics companies, without end users being aware of what is happening. This leak occurs when users sign up for, unsubscribe from, or click on marketing emails from popular online services: MailChimp, Quibi, Wish, JetBlue and the Washington Post among the bigger names. The user’s email address winds up being forwarded to marketing programs run by Google, Facebook, Microsoft and Twitter among others.
URL query string email data leak: How it works
Various websites are configured in such a way that when a user signs up or unsubscribes from them, the user’s email is included in a plain text URL that is passed on through the company’s marketing system. Unfortunately, depending on how the company’s marketing analytics software is configured, that plain text email might escape from them and be forwarded on to major advertising and analytics companies that they have relationships with. This can also happen with special URLs sent to existing customers for promotions and offers.
This is an individualized phenomenon, so it is a rather random distribution of websites that are subject to this email data leak. The leak was discovered by security researcher Zach Edwards, who self-published it in a Medium article. Edwards claims that “numerous organizations” have the email data leak present in their customer management processes; a partial list of the popular websites he names includes:
The Washington Post
Growing Child Magazine
And who is receiving these unencrypted email addresses? There isn’t much point to making a list; suffice to say that they could potentially be going to nearly every big name among advertising and analytics companies. It all depends on how each individual website is configured and who the advertising partners are.
However, even an obscured email address is not necessarily safe. Many of these sites use base64 encoding to screen out the email address in these situations; however, base64 is not a form of encryption and is relatively trivial to decode. The advertising and analytics companies are thus either receiving a plain text email address, or one that can easily be decoded if they choose to.
Are the email leaks to the advertising and analytics companies intentional?
Edwards believes that intent is another case-by-case situation, and James McQuiggan (Security Awareness Advocate for KnowBe4) agrees: “This activity demonstrates that organizations may not be vetting all third-party plugins or code within their website. It’s evident that one of these organizations realized the error, and it was not their intent to share the emails with other marketing organizations. In contrast, another one of these organizations is confident they’re not sharing information, when in fact they are, which leads to the issue that they don’t have a full understanding of the code on their website.”
Some companies appeared to not be aware of the email data leak and moved quickly to patch it up once notified. Others have acted in a more questionable way.
Edwards characterized Mailchimp, Wish.com and The Washington Post as the only organizations that took the email data leak seriously once notified, communicating and taking actions to remediate it almost immediately.
Others have had dismissive responses. Edwards singles out JetBlue here, who have apparently been notified of this since March but have yet to make any changes. And Edwards believes some companies, most notably the up-and-coming streaming service Quibi, have not only been aware of the email data breach for some time but have actively made use of it as a selling point and “growth hack.”
These numerous email data breaches could present a major legal problem for the impacted companies. Email addresses are considered protected personal information under privacy laws such as the GDPR and CCPA, meaning that these breaches could be finable offenses. Edwards believes that any organizations that have been leaking user emails should post a list of all of their partner advertising and analytics companies while the breach was active, but it is unlikely any will do this willingly.