Skip to main content

Notice Regarding An Indicent of Email Contact Exposure

· 7 min read

Dear Customers and Community,

We recently experienced an incident in which the email addresses of some customers were inadvertently shared with other recipients. We sincerely apologize for any concern or inconvenience this may have caused.

What Happened

On January 26, 2025, at 10:33 PM Pacific Time (UTC 2025-01-27 06:33), we sent an email about a product to all customers who ordered the item, using the address contact@pawprint.press. Due to an error in how we used our system, the platform treated all recipients as part of a single group, allowing each individual to see the other recipients’ email addresses.

We became aware of the issue almost immediately after sending; however, most emails had already been delivered. Based on our data, approximately 300–400 customers received the email with all addresses visible in the “To” field. If a recipient chooses to inspect the email header, they can view those addresses.

Although the customers in this affected group can see each other’s email addresses, the list was not disclosed in any public environment through this incident.

No personal identifiers or any other data beyond the email addresses themselves were shared among this group.

How Did It Happen?

We recently switched to a new email platform that integrates more seamlessly with our tech stack. The email in question was the first one sent using this new platform.

Although the API (Application Programming Interface, which enables software systems to communicate) of the new platform appears similar to that of our previous provider, the two services handle group email lists in different ways. Our old platform automatically sent individual emails to each recipient, whereas the new one placed all recipients in the “To” field—thereby making every address visible to all.

Despite conducting several internal tests, we did not catch this error because our email clients tend to obscure or minimize the recipient list, and the length of the recipient list we used in internal tests was too short to draw our attention to the issue. We recognize this was a severe oversight on our part and take full responsibility. We'll make sure to take a remarkable lesson from this incident.

Data Involved

Only email addresses were exposed, and these addresses belong to other customers who purchased the same product. No additional personal information (e.g., full names, addresses, payment details) was disclosed unless they're part of the email handle.

Remedial Actions

Shortly after sending the email, we detected an unusually high rejection rate; many email clients flagged the message as spam because it contained an extensive visible recipient list. Ironically, this reduced the impact of the incident, as a significant number of emails were never delivered to their intended recipients. Fewer than 400 messages were successfully sent before we halted the process.

Unfortunately, due to the nature of email systems, it is impossible for us to recall messages that have already been delivered or prevent recipients from viewing the exposed email addresses if they choose to do so.

We did not immediately inform all affected customers because we needed time to study our full legal obligations, including what specific information must be provided in any notification. After reviewing the laws governing consumer data protection in our practice, we concluded that this incident does not constitute a reportable incident. You can read more about our legal compliance and your rights in the following section.

Following careful consideration, we chose not to notify each affected customer individually in order to limit additional exposure of the leaked data. Our assessment indicated that many recipients were unaware they could view others’ email addresses, given that many email clients minimize or obscure recipient lists by default. Moreover, although our system registered a significant number of emails as “delivered,” it appears many were flagged as junk or spam due to the unusually large recipient list, further reducing the likelihood that users would notice or access the addresses in question.

In the first 12 hours after sending the email, we received over 20 responses about the product itself—with no mention of the data exposure—and only 3 replies regarding the incident. We believe a broad notification might prompt additional recipients, who otherwise wouldn’t have noticed, to inspect the recipient list out of curiosity, potentially increasing exposure. We hope you understand our decision to minimize risk and mitigate the damage caused.

If you are one of the affected customers, we respectfully request that you refrain from sharing the recipient list with any third party.

Pawprint Press operates in compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). If you are an EU resident, our processing of your personal data is also subject to the General Data Protection Regulation (GDPR).

An unauthorized email address disclosure is only considered a reportable personal information breach under California law if the email address is combined with a password or security question (California Civil Code § 1798.29). We also reviewed consumer privacy laws in other U.S. states and reached the preliminary conclusion that this incident does not require notification to the authorities or individual notice to each affected customer.

Under the GDPR, an email address qualifies as personal information, so this incident constitutes a data breach as defined by Article 4. Article 33 requires data controllers to report breaches to the supervisory authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. After assessing the situation, we determined that such a risk is unlikely, based on several key points:

  • The email addresses are not accompanied by any credentials that would allow someone to access the email accounts.
  • The email addresses alone are insufficient to identify a customer’s full identity.
  • The addresses were disclosed only among a group of customers and were not made public.
  • The only linking factor is that these addresses belong to individuals who purchased the same product; all recipients (who are the only people to have received the leaked data) share that characteristic. This is unlikely to disclose any sensitive information associated with the purchase.

Under the GDPR, the obligation to individually notify data subjects applies only when there is a “high risk” to their rights and freedoms. Many other countries where most affected customers reside, including Australia and Canada, follow a similar structure, requiring reports only if a “high risk” is posed.

Based on these legal requirements and our own risk assessment, we decided not to notify each affected customer individually. We believe this approach helps prevent any further exposure of the data.

At the time of this notice, we have not had the time or resources to fully examine every relevant law in all jurisdictions where affected customers may reside. If this incident triggers a legal obligation in your jurisdiction, please notify us immediately and we will respond promptly to ensure compliance to the best of our ability.

In the meantime, we encourage you to visit or contact our supervising authority, the California Privacy Protection Agency, as well as any local authority that governs data protection in your area, to learn more about your legal rights.

Future Precautions

We genuinely value our customers’ data privacy and have always processed personal data in accordance with some of the strictest regulations. In fact, we switched to the new email platform to reduce manual data handling and thus lower the risk of data leaks. Regrettably, we made a mistake this time, and we sincerely apologize.

We have already corrected the logic in our program code to ensure that this error will never recur. We have also established a standard procedure requiring every group email to undergo a full test before being sent. This testing includes using a sufficiently large recipient list and inspecting the “To” field in the header of the test email. If we notice more than one recipient in the “To” field, we will immediately cancel the sending process, recognizing that the issue lies with the sending platform.


Once again, we sincerely apologize for this incident and greatly appreciate your understanding. We deeply regret that this has happened to our loyal customers. If there is anything else we should do to help or if you have any further concerns, please let us know.

We are truly sorry, and we will do our utmost to ensure this never happens again.



Sincerely,

The Pawprint Press Team