Skip to main content

Hundreds of millions of email addresses fed to advertisers by popular websites

(Image credit: Shutterstock / NicoElNino)

Some of the most popular websites online today have leaked hundreds of millions of email addresses to advertisers and data analytics firms, according to a new research report.

As a result of a defect in sign-up processes attached to websites such as Wish, MailChimp and the newly launched Quibi, user email addresses were funneled into the laps of the world’s largest advertisers, including Google, Facebook and Twitter.

Authored by security researcher Zach Edwards, the report explains that clicking on links embedded within account confirmation emails caused addresses and other user data to be delivered to third parties, who could then use the information to inform personalised advertising efforts.

The report does not make clear precisely how the email addresses were used by third party advertisers.

Email address leaks

This specific variety of breach occurs when an email address is appended to a URL following the activation of a link by the user. The information is then transferred to third party advertising and analytics firms - sometimes in plain text - as a mechanism of a piece of JavaScript code.

Users of web browser Google Chrome are more likely to fall victim, because the browser does not block JavaScript activity by default - unlike rival services Safari, Brave and Firefox.

E-commerce giant Wish was said to be responsible for one of the largest leaks, which “likely involved hundreds of millions of user emails,” according to Edwards. 

While the report criticises the lethargy demonstrated by many affected companies, it notes that Wish went to painstaking lengths to remedy the issue, rebuilding its email architecture in the space of 72 hours following the disclosure.

Streaming platform Quibi, launched on April 6, was also marked out as an offender and has since taken action to address the breach. “The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately,” said the firm.

According to Edwards, while users can take steps to prevent leaks of this kind (such as using an ad blocker or privacy-centric browser), the failure of businesses to request the deletion of user emails from third party logs is at the heart of the problem.

“There needs to be significant efforts by organizations sharing user emails in this way, to submit partner deletion requests to the third party advertising and analytics companies who received the emails,” he said.

The majority of the defective systems were still live as of the report’s publication on April 29, which suggests many consumers remain at risk.

Via New York Times