X

Quibi, Wish, JetBlue, others leaked users' email addresses, researcher finds

Emails were leaked to Google, Facebook, Pinterest and more companies, according to a Wednesday report.

Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Corinne Reichert
Laura Hautala
3 min read
password-security-laptop-0368

Was your email leaked to ad and analytics companies?

Angela Lang/CNET

Millions of email addresses were leaked to advertising and analytics companies, a security researcher said in a report Wednesday. Clicking links sent by email reportedly caused users of Quibi , Wish, JetBlue, The Washington Post and others to have their email address leaked to companies including Google , Facebook , Pinterest , Criteo, PayPal, Stripe, Twitter and Snapchat.

The links arrived in user inboxes inside account confirmation emails and newsletters, and included "unsubscribe" links in some cases. The user email addresses were transmitted either in plain text or in base64, an easily decoded data formatting tool, according to the report.

The leaks are another example of how hard it is for web users to know how online advertisers are using their data. When advertisers receive the email address of an online shopper, the possibilities grow for tracking online behavior. That's because an email is a long-lasting identifier. It can be paired with information about a user's browser and device, allowing advertisers to learn that anyone coming from that Chrome browser on that Galaxy phone, for example, is associated with a specific email address.

However, it's not clear from the report how advertisers used customer email addresses, and some companies that leaked email addresses said they didn't have any indication the information was accessed or abused by their advertising partners.

One of the biggest leaks came from e-commerce site Wish, which the report said "likely leaked hundreds of millions of user emails for over a year." The company changed its systems in response to the report, according to Wish and the researcher, Zach Edwards. But in an emailed statement, Wish called the report "off the mark," saying the email addresses were encoded and its marketing affiliates would have had to go through additional steps to access the data. "We have no reason to believe that occurred," the company said.

New video streaming service Quibi, which just launched April 6, called data security "the highest priority" in a statement. "The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately," Quibi said.

JetBlue said in a statement it is taking the report seriously. "We will review the researcher's findings to ensure we are respectful of our customers' personal information and are in full compliance with the standards we have set."

The Washington Post said its user emails were not shared with any ad companies.

EveryAction and NGP Van, owned by the same company, are also named in the report. In a statement, EveryAction said it appreciates Edwards for bringing the issue to its attention. "We began working with Google and Microsoft to rectify issues around email unsubscribe pages immediately after we were alerted of this concern when the post was published earlier today," the company said. "Initial fixes went live earlier this afternoon and our team will continue to work on this into the night."

In a statement, Kong said it believes its use of consumer data follows applicable laws. "However," the company said, "we are making immediate updates to some of the methods in which these tools are implemented to address the concern raised in the report."

Other companies listed in the report as leaking user emails were Mandrill and Growing Child. Twitter declined to comment. Mandrill, Growing Child, Google, Facebook, Pinterest, Criteo, PayPal, Stripe and Snapchat didn't immediately respond to a request for comment.

Watch this: Cyberattack: How we were phished by professional hackers