HackDig : Dig high-quality web security articles for hackers

Coil payments platform leaks user emails in 'Privacy Policy' update

2020-11-17 12:25


Coil has accidentally exposed some of its users' email addresses in a mass email announcement sent out today.

Coil is a micropayments platform, similar to Patreon (but not quite) that is used by writers and popular blogging sites to monetize content.

Ironically, the mishap happened within an email announcement related to the company's Privacy Policy updates.

At least 1,000 emails disclosed in mass announcement

In an email announcement sent out a few hours ago, as observed by BleepingComputer, the company had notified content creators of upcoming changes to its terms and privacy policy.

For anyone who had received the email notice, it would be hard to miss multiple email addresses CC'd alongside the recipient's in this mass email.

coil leaks emails in privacy policy updates newsletter
Coil announced updates to its Terms of Service and Privacy Policy
Source: BleepingComputer

On taking a closer look, BleepingComputer noticed at least 1,000 emails were included in the announcement.

It is likely other users saw a different set of email addresses listed in the To or CC fields, assuming the mass announcement was emailed in batches of 1,000.

coil leaks 1000 email addresses
At least 1,000 Coil customer email addresses CC'd in the same newsletter
Source: BleepingComputer

CEO issues an apology

The company was quick to spot the data leak and pinned it on a human error in a follow-up email seen by BleepingComputer.

Roughly two hours after the mass email had been sent, Stefan Thomas, Coil's Founder and CEO issued an apology—this time without CC'ing an additional thousand users.

"Earlier this evening we sent you an email updating you on changes to our Terms & Privacy Policy. Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users' email addresses were populated alongside yours," said Thomas.

Coil CEO issues apology
Coil CEO issues an apology for the data leak
Source: BleepingComputer

"This mistake is especially painful as we take privacy extremely seriously -- it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error," concluded the email.

Erroneous bulk email notifications from tech companies seem to have become frequent occurrences. 

Last week, Rakuten had erroneously emailed multiple customers, stating the customers had earned cashback, only to recall their words later.

In October, a Home Depot email blunder had exposed hundreds of customer orders and personal information to strangers CC'd in emails. 

Source: p-ycavirp-ni-sliame-resu-skael-mroftalp-stnemyap-lioc/ytiruces/swen/moc.retupmocgnipeelb.www

Read:248 | Comments:0 | Tags:Security Technology

“Coil payments platform leaks user emails in 'Privacy Policy' update”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud