Compliance Management, Privacy, Vulnerability Management bug exposes user email addresses


A vulnerability on the website exposed the email addresses "a small subset” of the online petition organization's users, according to a statement by Tim Catlin, the organization's vice president of engineering.  

Information on the users “could be seen publicly through the search function” on's platform, Catlin said. Those users had “previously pasted emails” from the organization into public web pages. The unsubscribe link, which contained a hashed version of the user's email address at the end of the emails, was indexed by Google.

Even though the organization makes it a best practice “to obscure or hash the email address in unsubscribe links,” that didn't preclude search engines from showing the links that ultimately exposed the email addresses. has since disabled searching on its website, asked major search engines to clear indexed email addresses, and implemented a fix that prevents search engines from indexing unsubscribe pages.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.