Tech

Micropayments Firm ‘Coil’ Spectacularly Exposed User Email Addresses

Written by Bill Toulas
Last updated July 14, 2021

There are many ways to end up exposed, but some are more understandable than others. For example, leaving an unprotected database online for anyone with a web browser to access is certainly a blunder, but misconfigurations can happen even by careful and otherwise diligent admins. Straight out sending email addresses via email to the entire userbase is a lapse that’s not easy to justify for a micropayments company that strives to win people’s trust.

This is exactly the mistake that Coil’s marketing team had made when it tried to send an update on the latest changes of its “Terms and Privacy Policy.” The company’s agents have sent out these emails in chunks of thousands, putting all addresses in the “To” field, so every recipient was able to see another 999 email addresses belonging to other Coil users.

https://twitter.com/bwhli/status/1328542178088370176

Besides the fact that people can now start a “reply-all email storm,” which thankfully nobody has done so far, the message distribution mistake has resulted in a severe exposure for the Coil users. Each of them has been exposed to another 999 people who know they have a Coil account and have a starting point in account takeover attempts.

For example, a malicious individual could search previous data breaches to find the same email address and maybe a couple of leaked passwords that could be used in the target’s Coil account (credential stuffing). Brute-forcing could also be a possibility, even if the target doesn’t correspond to any breach data available out there.

Also, the group of 999 people is just the start of the exposure. Every single one of them may share the email addresses with more people like straight-out ill-intended hackers who would even pay a few dollars for this data.

Coil has realized the mistake shortly after the emails flew away from them and sent an apology with a “Please forgive us” subject. As the CEO Stefan Thomas explained:

Earlier this evening, we sent you an email updating you on changes to our Terms & Privacy Policy. Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users' email addresses were populated alongside yours.

This mistake is especially painful as we take privacy extremely seriously -- it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: