Most popular Websites have been found to wittingly or otherwise, leaking your email address to advertising, analytical & other companies.
The findings of this in-depth research by digital strategist, developer & data architect Zach Edwards have been published on Medium.com. Incidentally, Zach started off his digital career when he was part of the digital team for US President Barack Obama’s 2007 election campaign.
Zack’s report has gone to great lengths to explain just how this leak of email addresses was taking place. We all know this much — there are Sites that use 3rd party analytics and advertising Javascript code. Now, according to Zack, depending on how a Website sets up its marketing systems, typically email systems & new user signup flows, the user emails can accidentally &/or purposefully leak to companies across the global data supply chain. Between them, these Sites have hundreds of millions of emails & real users.
Interestingly, as Zack has written, only Wish.com, Mailchimp & The Washington Post took this user email breach report seriously when notified.
How 3rd party Javascript allows the leakage
When any 3rd party Javascript code loads on a Site, metadata from the user & the Website can be transmitted to the 3rd party domain / company that controls that code. This is called, “Request Headers” sent through a browser. The data can include:
- What page a user is visiting
- What type of device & browser they are using
- User location
- Other forms of fingerprinting / cookies / URL querystring/ URL parameters that are used by advertising & analytics companies
When a user loads a Web page, the URL that he is visiting, along with any URL parameters are shared with any advertising or analytics companies through the Javascript code on that page & through a technical browser transmission “request header” known as a “Referrer” field.
This type of email user data in a URL bar synced into Javascript pixels is most typically blocked by a regular person through “Ad blockers” or through browsers like Safari, Brave, & Firefox — those browsers use Javascript/cookie blocking as a default features to protect users (each browser handles it slightly differently).
Zack said most of the data breaches that were found (some are still live breaches as of publishing) were caused “by a sloppy & dangerous growth hack” that is used to improve attribution tracking for analytics tools, & used to optimize & segment retargeting advertising campaigns.
Zack believes the Wish.com breach “was the largest out of all the examples in this research.” It lasted over a year & likely involved hundreds of millions of user emails in a base64 plain-text format being shared with analytics & advertising companies. But as soon as it was alerted, Wish escalated the problem and rebuild their systems.
Zack said Wish & all organizations which were the subject of this research should be requesting deletion of user emails from any 3rd party logs held by external advertising & analytics companies, “but it appears no organization has submitted this request to their partners, even after being notified of their breaches.”
In a throwback to the Cambridge Analytica controversy, the research found that there were also “red flag organizations” which had ingested user emails that were small or relatively unknown organizations, yet likely receiving huge amounts of user emails in their request logs. Zack felt these smaller organizations needed a unique type of scrutiny due to the power that an advertising or analytics company can attain from ingesting millions of user emails from their enterprise clients, something like Cambridge Analytica did.
An example of the leakage, said the report, was Quibi leaking new user emails to externa agencies from the email confirmation Webpage. Quibi reached out hours before publication with an apology & explanations on how that was happening, & what it was doing to tackle it.
According to the research, when you install the Quibi app, you are asked to submit an email to create your account, & then emailed a confirmation link that must be clicked to confirm the account. When a user clicks this email confirmation link, their email address is appended into the URL they are clicking in plain text, & sent to 3rd party advertising and analytics companies.
The report continues to explain in detail how the breach happens, so if you are interested in Online privacy & related matters, click here.
Image by skylarvision from Pixabay
