By Amanda Yeo
Mobile streaming service Quibi is less than a month old, but it’s already shoving its sticky little fingers where they don’t belong.
A new report by Victory Medium researcher Zach Edwards has revealed Quibi leaked user’s signup emails to multiple third-party advertisers, including Google, Snapchat, Facebook, and Twitter.
In order to create a Quibi account, new users were asked to provide an email address to which the company would send a confirmation link. However, unbeknownst to said users, clicking the link sent their email address to third-party advertisers and analytics companies in plain text.
Confirmation emails are a standard part of online signups and are often required to access a service’s full functionality, so users would have had little reason to distrust the link. The app had already been downloaded 2.7 million times just over two weeks after launch.
Quibi’s leak wasn’t the only one covered in Edwards’ report. He also noted Wish appears to have leaked hundreds of millions of emails for over a year, while The Washington Post leaked a smaller number to a few analytics companies. However, Edwards considered Quibi’s leak “one of the most egregious” due to the youth of the service, and the fact that it launched after the GDPR and CCPA were put into place.
“In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies — yet that’s what Quibi apparently decided to do,” wrote Edwards.
“It’s an extremely disrespectful decision to purposefully leak all new user emails to your advertising partners, and there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped to architect this user data breach.”
Further, while Wish and The Washington Post acted swiftly to rectify their leaks upon being notified, Edwards reported Quibi’s leak was still active over a week after the company was notified of it on April 17.
In a statement to Variety, Quibi contradicted Edwards’ claim regarding its alleged slow response, saying it was only notified of the breach on April 28. “The moment the issue on our web page was revealed to our security and engineering team, we fixed it immediately,” said a Quibi spokesperson. Mashable has reached out to Quibi for further comment and will update this article if we receive a response.
Though user emails will no longer be sent to third-parties in this manner, Quibi’s Privacy Policy states it may share personal information such as emails with third-party service providers. This enables said third-parties to provide the company services such as “personalized advertising, ad measurement and verification.”
Even so, it’s reasonable to assume users didn’t expect emails entrusted to Quibi to be summarily delivered to third parties this way.
“[M]any advertising companies have features they’ve built to sync user emails into retargeting lists and other audience advertising targeting strategies, without properly notifying users,” wrote Edwards. “How many of those organizations have user emails that were given without the user fully understanding what was occurring or having an ability to delete or modify that information after it was sent?”
UPDATE: May 2, 2020, 9:50 a.m. AEST Quibi has responded to Mashable with the same statement previously provided to Variety: “Data protection is essential to Quibi and the security of user information is of the highest priority. The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately.”
