• by Ray Schultz , April 29, 2020

Numerous brands are exposing visitor emails, and those are being used by third-party advertising and analytics outfits, according to a blog post published on Wednesday by Zach Edwards, CEO of web analytics firm Victory Medium.

Some of the breaches are caused by “a sloppy and dangerous growth hack that is used to improve attribution tracking for analytics tools and used to optimize and segment retargeting advertising campaigns,” Edwards claims.

In general, the problem has its origin in the fact that most popular websites use third-party analytics and advertising JavaScript code, Edwards notes.

User emails can “can accidentally and/or purposefully leak to companies across the global data supply chain,” depending on how email systems and signup flows  are set up, Edwards says.

Such emails are often “ingested” by Google Analytics, Google’s DoubleClick, Facebook and Twitter, he charges. 

MediaPost was unable to independently confirm the allegations at deadline, and it was not clear whether they had resulted in financial harm to consumers or businesses.

Many brands have had their emails exposed, but only Wish.com, Mailchimp and The Washington Post "took this report on their user email breaches seriously," Edwards writes. 

Edwards adds that "Wish updated their email system within 72 hours of the report being sent and the other two started taking actions relatively quickly -- whereas many other organizations either din't respond or have failed to take any actions for weeks or months. 

In addition,Quibi reached out hours prior to publication of Edwards’ post to apologize and explain how the exposure occurred. However, he doubts some of its statements.

Edwards writes that when using theQuibi app, “you are asked to submit an email to create your account, and then emailed a confirmation link that must be clicked to confirm the account.”

When the user clicks this link, “their email address is appended into the URL they are clicking in plain text, and sent to 3rd party advertising and analytics companies,” he charges.

Some email leaks are due to use of  ‘base64 encoding,’ a programming language feature that “is NOT a form of encryption and provides no user protections,” Edwards continues.

Accurate or not, the report is bound to shine a spotlight on the medium. For example, Bleeping Computer posted an article on the findings. 

Noting that some of the breaches were still live at publication, Edwards advises firms to submit “’partner deletion requests’ to the third-party advertising and analytics companies who receive the emails.”