Tech

Micropayments Firm ‘Coil’ Spectacularly Exposed User Email Addresses

By Bill Toulas / November 17, 2020
email

There are many ways to end up exposed, but some are more understandable than others. For example, leaving an unprotected database online for anyone with a web browser to access is certainly a blunder, but misconfigurations can happen even by careful and otherwise diligent admins. Straight out sending email addresses via email to the entire userbase is a lapse that’s not easy to justify for a micropayments company that strives to win people’s trust.

This is exactly the mistake that Coil’s marketing team had made when it tried to send an update on the latest changes of its “Terms and Privacy Policy.” The company’s agents have sent out these emails in chunks of thousands, putting all addresses in the “To” field, so every recipient was able to see another 999 email addresses belonging to other Coil users.

https://twitter.com/bwhli/status/1328542178088370176

Besides the fact that people can now start a “reply-all email storm,” which thankfully nobody has done so far, the message distribution mistake has resulted in a severe exposure for the Coil users. Each of them has been exposed to another 999 people who know they have a Coil account and have a starting point in account takeover attempts.

For example, a malicious individual could search previous data breaches to find the same email address and maybe a couple of leaked passwords that could be used in the target’s Coil account (credential stuffing). Brute-forcing could also be a possibility, even if the target doesn’t correspond to any breach data available out there.

Further Reading

Also, the group of 999 people is just the start of the exposure. Every single one of them may share the email addresses with more people like straight-out ill-intended hackers who would even pay a few dollars for this data.

Coil has realized the mistake shortly after the emails flew away from them and sent an apology with a “Please forgive us” subject. As the CEO Stefan Thomas explained:

Earlier this evening, we sent you an email updating you on changes to our Terms & Privacy Policy. Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users' email addresses were populated alongside yours.

This mistake is especially painful as we take privacy extremely seriously -- it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.


Add a Comment
Related Posts

Italian Email Provider Announced Hack That Exposed 600k Users


April 7, 2020

iOS 15 Mail Privacy Protection Fails to Cover Apple Watch Mail App


November 16, 2021

Google Takeout Backups Ended Up in the Wrong People’s Computers


February 4, 2020

Brave Browser’s Tor Mode Is Leaking the Users’ Real IP Address


February 19, 2021

Google’s ‘Gboard’ Gets Locally-Generated Suggestions While Barring App Access


October 8, 2020

Millions of Supposedly Amazon and eBay User Account Details Available for Purchase Online


February 19, 2021

© TechNadu 2024. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari