Micropayments Firm ‘Coil’ Spectacularly Exposed User Email Addresses
Last updated July 14, 2021
- ‘Coil’ has exposed its users’ email addresses in chunks of thousands to other users.
- This creates “email storm” opportunities that the recipients have resisted thus far.
- The exposure also opens up credential stuffing and password brute-forcing possibilities.
There are many ways to end up exposed, but some are more understandable than others. For example, leaving an unprotected database online for anyone with a web browser to access is certainly a blunder, but misconfigurations can happen even by careful and otherwise diligent admins. Straight out sending email addresses via email to the entire userbase is a lapse that’s not easy to justify for a micropayments company that strives to win people’s trust.
This is exactly the mistake that Coil’s marketing team had made when it tried to send an update on the latest changes of its “Terms and Privacy Policy.” The company’s agents have sent out these emails in chunks of thousands, putting all addresses in the “To” field, so every recipient was able to see another 999 email addresses belonging to other Coil users.
Besides the fact that people can now start a “reply-all email storm,” which thankfully nobody has done so far, the message distribution mistake has resulted in a severe exposure for the Coil users. Each of them has been exposed to another 999 people who know they have a Coil account and have a starting point in account takeover attempts.
For example, a malicious individual could search previous data breaches to find the same email address and maybe a couple of leaked passwords that could be used in the target’s Coil account (credential stuffing). Brute-forcing could also be a possibility, even if the target doesn’t correspond to any breach data available out there.
Also, the group of 999 people is just the start of the exposure. Every single one of them may share the email addresses with more people like straight-out ill-intended hackers who would even pay a few dollars for this data.
Coil has realized the mistake shortly after the emails flew away from them and sent an apology with a “Please forgive us” subject. As the CEO Stefan Thomas explained:
Related
Most Popular
Most Popular