Micropayments company Coil distributes new privacy policy with email that puts users' addresses in the ‘To:’ field

Micropayments company Coil distributes new privacy policy with email that puts users' addresses in the ‘To:’ field

Micropayments company Coil has emailed users its new privacy policy but placed hundreds of their addresses in the “To:” field and therefore breached their privacy.


The mail had the Subject line “Updates to Coil’s Terms and Privacy Policy” and offered links to the document. The Register has read it and can report that while it reveals that Coil seeks permission to share users’ details with service providers, partners, and “related entities”. We cannot find a clause that resembles: “We reserve the right to expose your email address to countless other Coil users in the ‘To:’ field of an email.”


The tweets below are typical reactions to the situation.



Well, crap, @Coil! You just managed to expose every single user's email address in one email where you used the TO: field, amounting to a comprehensive data breach.

This is a cataclysmic privacy and security mistake. I can't trust you with my info, and have deleted my account.


— Jason C. McDonald (@codemouse92) November 17, 2020

Hey @Coil, thanks for sending me a marketing email with 999 other people's emails in the "to" field. It's super cool that all of us now have each other's email address and know that we all have a Coil account.


— Jordan Kicklighter (@jwkicklighter) November 17, 2020

@Coil