Millions of people gave their email addresses to Quibi, JetBlue, Wish and other companies — and those email addresses got away.
They ended up in the hands of advertising and analytics companies like Google, Facebook and Twitter, leaving the people with those email addresses more easily targeted by advertisers and able to be tracked by companies that study shopping behavior, according to a report published on Wednesday.
The customers unwittingly exposed their email addresses when signing up for apps or clicking on links in marketing emails, said the researcher Zach Edwards, who runs the digital strategy firm Victory Medium. In the report, he described the giveaway of personal data as part of a “sloppy and dangerous growth hack.”
The practice of making customers vulnerable to tracking by allowing their personal data to be passively collected by third parties is nothing new, Mr. Edwards said in an interview, but it has gained traction despite efforts to boost online privacy protections.
“This hack used to be something that only very niche and sophisticated developers understood,” he said. “But now the entire ad-tech industry understands it.”
Privacy experts have raised concerns about leaks of personal information for more than a decade, said Arvind Narayanan, a computer science professor at Princeton University who has studied data mining. Careless web programming practices lead to some accidental giveaways of large hunks of personal information, he said, but other leaks are intentional.
“There’s an industry of ad-targeting that tries to connect people’s online and offline activities,” Mr. Narayanan said. “People may not want all of their interests and activities and purchases to be tied together in one uber-profile that connects every dot, but that’s exactly what’s happening. These leaks are one clue to the puzzle of how companies are able to create that all-encompassing profile.”
Mr. Edwards, a contributor to a recent study that examined potential privacy violations by dating services like Grindr and OkCupid, wrote in the new report that one of the “most egregious” leaks involved Quibi, a short-form video platform based in Los Angeles that is run by the veteran executives Jeffrey Katzenberg and Meg Whitman.
Quibi went live on April 6, long after new data privacy regulations went into effect in Europe and California.
“In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies,” Mr. Edwards wrote. “Yet that’s what Quibi apparently decided to do.”
People who downloaded the Quibi app were asked to submit their email addresses. Then they received a confirmation link. Clicking on the link made their email addresses available to Google, Facebook, Twitter and Snapchat, according to the report.
Quibi said in a statement on Wednesday that data security “is of the highest priority” and that “the moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately.”
Mr. Edwards said customers were probably unaware of leaks at Wish, an e-commerce platform where hundreds of millions of email addresses were likely exposed starting in 2018. When users clicked on links in marketing emails from the company, their email addresses were shared with Google, Facebook, Pinterest, PayPal and others, he wrote.
Wish strengthened its data protection measures after hearing from Mr. Edwards earlier this year, the company said in a statement. But it criticized his report as “off the mark,” noting that the email addresses were encoded and that they went to service providers that Wish uses for advertising and sales support.
A spokesman for Wish added that Google and other advertising and analytics companies “had no reason” to crack the encoded email addresses. “In any event,” the spokesman said, “it certainly is not a ‘breach’ to provide a service provider with such encoded information.”
Google did not immediately respond to a request for comment.
According to Mr. Edwards’s report, customer data also leaked out of JetBlue, which said in a statement that it was taking Mr. Edwards’s concerns seriously and would review his findings.
Other companies, including The Washington Post, had limited leaks, according to the report. The email addresses of people who had unsubscribed to newsletters from The Post ended up with several analytics companies, Mr. Edwards wrote, and the publication addressed the issue shortly after it was notified.
Mr. Edwards urged companies to reach out to platforms that might have collected their customers’ email addresses and ask that the information be scrubbed.
“Some of the largest companies doing this pretend like it doesn’t happen, so they don’t have to deal with the deletion process,” Mr. Edwards said. “They ignore people who ask.”