During the first three weeks after the launch of streaming service Quibi, email addresses belonging to an untold number of new users were leaked to third parties due to an issue in the sign-up process.
The error was discovered by researcher Zach Edwards of digital strategy company Victory Medium. According to Edwards, the problem occurred during the email verification process. Upon signing up, new users were asked to click a verification link sent to their email account; upon clicking the link, users were redirected to a web page with a URL that included the user’s email address. Edwards provided multiple screenshots demonstrating the problem.
Edwards reported that as a result, user email addresses were shared without permission to at least 12 different recipients, including a site called CivicComputing.com belonging to a U.K. company, and analytics for Facebook, Google and Twitter.
Edwards also identified similar user privacy breaches at several other websites, including Wish.com, NGPVan.com, and JetBlue.com. WashingtonPost.com also experienced limited leaks. All told, “hundreds of millions” of people were affected, the vast majority of them from Wish.com, according to the report. Edwards published his findings on Wednesday.
In a statement provided to TheWrap, a Quibi spokesperson acknowledged the problem but said it has now been fixed. “Data protection is essential to Quibi and the security of user information is of the highest priority. The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately,” the statement read.
It is not known how many Quibi users were affected, but the service had been downloaded more than 2.7 million times as of April 20. Edwards said he notified Quibi of the problem on April 17, but that as recently as April 26 the error remained in place.