A number of big companies including JetBlue, mobile video platform Quibi and e-commerce platform Wish.com were caught allowing third-party ad-tech giants including Google, Facebook and Twitter access to their hundreds of millions of user email addresses.
That's according to Zach Edwards, founder of analytics and optimization firm Victory Medium, who revealed the scheme in a Wednesday blog post published to Medium.com.
Wish.com and Quibi, which launched on April 6, told FOX Business they took immediate action to address the issue, and JetBlue said it is investigating.
The Washington Post, which Edwards said leaked some emails to "a limited number of analytics companies" that ultimately did not get passed on to advertisers, said the newspaper "took immediate steps to resolve" the "limited" issue.
Here's how the email-sharing method works: A user signs up for a service by entering an email address on a website, the user then receives a confirmation email that includes a link, and once the user clicks on the link, advertisers like Facebook, Twitter and Google get access to that person's email address, according to Edwards.
The practice is nothing new and is becoming more commonplace for ad companies, according to Edwards. Third-party advertisers have been known to collect emails fand other information from popular websites to improve targeted ad efforts.
Many companies may not even be aware that this is happening when users enter their email addresses to sign up for their services, but Edwards argues that they should be aware of this "sloppy and dangerous growth hack" and take the steps necessary to stop it.
A Quibi spokesperson, for example, said the issue was an unintended result of a default setting that the company did not catch despite rigorous engineering and security testing.
Companies can prevent this type of breach by submitting partner deletion requests to Google, Facebook, Twitter and other ad-tech giants.
"All organizations need to be aware of this significant user data vulnerability, but more importantly, there needs to be significant efforts by organizations sharing user emails in this way, to submit partner deletion requests to the [third] party advertising and analytics companies who received the user emails," Edwards wrote.
He praised Wish.com for its immediate action, saying the website "had completely rebuilt their email architecture and they had built a completely new auto-login flow via email" within just 72 hours of being made aware of the issue.
"We promptly investigated the report and made some changes based on what we learned, including additional use of encryption to further protect user email addresses," a Wish.com spokesperson said in a statement.
The spokesperson added, however, that Edward's Medium article "is off the mark" and critiqued Edwards' use of the word "breach."
"The companies that received the data at issue ... perform basic advertising and sales support functions, as they do for many other companies. [Edwards] takes issue with the specific manner in which web referrer data was encoded ... and surmises that large service providers theoretically could have first ingested and then taken steps to de-code that data. We have no reason to believe that occurred," the spokesperson said.
Edwards criticized Quibi for being a brand new company that adopted the method, saying, "No new technology organizations should be launching that [leak] all new user-confirmed emails to advertising and analytics companies — yet that's what Quibi apparently decided to do."
He also said Quibi did not respond after being notified about the issue on April 17, but the company told FOX that it was made aware of the issue on April 28 and took immediate action.
Quibi said data protection "is essential" to the company, and "the security of user information is of the highest priority," adding, "The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately."