Email addresses were leaked in website’s source code

HURR Collective, a UK-based fashion rental company, has notified around 400 users of a data security incident that resulted in their email addresses being exposed, The Daily Swig has learned.

A misconfigured plugin on the HURR website meant that users’ email addresses could be obtained simply by clicking ‘View Source’ on certain web pages.

“We can confirm that the email addresses of around 400 users were exposed in our website’s source code as a result of a misconfigured third-party plugin,” HURR co-founder and CEO Victoria Prew told The Daily Swig.

A security alert was sent out to around 400 HURR users last month

Described in a recent Vanity Fair article as the “Airbnb of fashion”, HURR Collective is a clothing and accessories rental site, where users can sign up to lend or rent (often designer) fashion items.

The London-based company was alerted to the email exposure incident by an independent security researcher who wished to remain anonymous.

Their disclosure has also resulted in HURR fixing an issue in its map visualization plugin that had the potential to allow an attacker to get “uncomfortably close” to a seller’s provided location.

“We immediately took our website offline and contacted our technical partners to investigate and contain the incident,” said Prew.

“We have implemented additional security measures to better protect our website code and implemented all additional recommendations provided to us by technical experts.”

“HURR were alerted to the issue on November 15 and didn’t have it locked down until November 28 when the address randomization was fixed,” the researcher told The Daily Swig.

Impacted users have been asked to treat unsolicited emails with caution.

“If you do happen to receive any suspicious looking emails, or emails with attachments, we encourage you to delete them immediately,” the company said.

HURR Collective has informed the UK’s Information Commissioner’s Office as a “precautionary measure”.

Read more security and privacy news from the UK