The tweets below are typical reactions to the situation.
Well, crap, @Coil! You just managed to expose every single user’s email address in one email where you used the TO: field, amounting to a comprehensive data breach.
This is a cataclysmic privacy and security mistake. I can’t trust you with my info, and have deleted my account.
— Jason C. McDonald (@codemouse92) November 17, 2020
Hey @Coil, thanks for sending me a marketing email with 999 other people’s emails in the “to” field. It’s super cool that all of us now have each other’s email address and know that we all have a Coil account.
— Jordan Kicklighter (@jwkicklighter) November 17, 2020
@Coil You sent out an email about terms/privacy updates, and exposed the email addresses of thousands of users (super ironic). Now, my email address is visible in the inboxes of thousands of people I don’t know!
Are you serious?! pic.twitter.com/GxVIygjRop
— brianli.com (@bwhli) November 17, 2020
At the time of writing the mails appear not to have spawned a Reply-All storm. The Coil user who tipped us off to the situation told us he was “tempted to start one” and reported “everyone’s been well behaved. They sent it from a no-reply email address anyway :)”.
Coil has become aware of the incident and sent an apology email with a subject line “Please forgive us”.
Founder and CEO Stefan Thomas offered the following sentiments:
The company has not addressed other questions we asked regarding how the incident occurred and its plans to prevent similar events in future.
Coil offers a service that charges users $5 a month, then shares that sum with publishers and content creators. The company offers the latter a chance to monetise their work without having to operate a subscription service. Users get the chance to send some cash to sites they appreciate. ®