Quibi, others named in data leak, report says
Millions of people gave their email addresses to Quibi, JetBlue, Wish and other companies — and those email addresses got away.
They ended up in the hands of advertising and analytics companies like Google, Facebook and Twitter, leaving the people with those email addresses more easily targeted by advertisers and able to be tracked by companies that study shopping behavior, according to a report published Wednesday.
The customers unwittingly exposed their email addresses when signing up for apps or clicking on links in marketing emails, said researcher Zach Edwards, who runs the digital strategy firm Victory Medium. In the report, he described the giveaway of personal data as part of a “sloppy and dangerous growth hack.”
The practice of making customers vulnerable to tracking by allowing their personal data to be passively collected by third parties is nothing new, Edwards said, but it has gained traction despite efforts to improve online privacy protections.
“This hack used to be something that only very niche and sophisticated developers understood,” he said. “But now the entire ad-tech industry understands it.”
Edwards wrote in the new report that one of the “most egregious” leaks involved Quibi, a short-form video platform based in Los Angeles run by veteran executives Jeffrey Katzenberg and Meg Whitman.
Quibi went live April 6, long after new data privacy regulations went into effect in Europe and California.
“In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies,” Edwards wrote. “Yet that’s what Quibi apparently decided to do.”
People who downloaded the Quibi app were asked to submit their email addresses. Then they received a confirmation link. Clicking on the link made their email addresses available to Google, Facebook, Twitter and Snapchat, according to the report.
Quibi said in a statement Wednesday that “the moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately.”