Major security issue with email addresses

I created a private drop for a group of 36 people for participating in a performance at the Queen’s Platinum Jubilee celebrations in London. The event ID is 46808. POAP Gallery I received 36 mint links, and I have not shared the list of links with anyone. I have only shared each individual link / 6 digit code with each of the 36 individual people in our group. The POAPs are meant specifically for the 36 people who participated in the performance, and we are planning to use the POAPs to provide them with additional benefits and special access to other events in the future. They are not meant to be given to anyone else.

I noticed that someone else had somehow managed to claim one of the POAPs even though they were not part of our group. (This is the collection address: 0x5f27df8de30ac770ffc21d9ec97a89a703bbadf0) I could tell it was not someone in our group because they have over 200 POAPs in their collection, whereas most of the people in our group are not very familiar with POAPs at all and for most of them this is their first time receiving one. A few days later I noticed that another person outside of our group had managed to claim one of the POAPs, and they also have over 200 in their collection. (This is the collection address: 0x19e69b4c0ccaa86b9c40151a9bb9ca85f3a3fc35)

I was able to figure out which links/6 digit codes they used by visiting each link myself and checking which ones said “Congratulations, this POAP was minted”.

It turns out that two people in our group had actually claimed their POAP as expected, but then later noticed that it was gone from their POAP app. Both of these people used their email address since they don’t have an Ethereum wallet address.

So it seems that some people have somehow figured out a way to steal POAPs from accounts that have used an email address instead of an Ethereum wallet address.

I’m concerned that this may happen to others in our group as well, since the majority of them don’t have Ethereum wallet addresses either.

I spoke to the customer support team and they advised me to share this information here to get it escalated and investigated further.

4 Likes

Hey @msethco

Thanks for taking the time to provide all the info and context about this drop.
I will commend an internal investigation to find out what happened.

3 Likes

Thanks @Fio I would really appreciate it if you could also please keep us posted on any progress or updates on this situation, so that I know whether I need to request new mint links for the people who have had their POAP stolen, and also because we will be doing more drops very soon. If you can also advise me on any steps I can take to help prevent this in the future, that would be really helpful. (For now, I can try to encourage the people in my group to set up an Ethereum wallet instead of using their email address.) Thanks!

1 Like

Just wanted to chime in. I also hosted a private drop and participants are new users that are using email and not Ethereum address for redemption. Address 0x19e69b4c0ccaa86b9c40151a9bb9ca85f3a3fc35 also claimed one of my groups POAPs and raised a red flag when I was checking mints.

Now I need to figure out who lost a POAP and either try to reissue or eliminate using email going forward for future events.

Small update- I noticed that the address that stole the POAP from my event (0x19e69b4c0ccaa86b9c40151a9bb9ca85f3a3fc35) no longer has the POAP. I checked their account using app.poap.xyz and it looks like all of their POAPs were removed. I appreciate the work done to resolve the email claim POAP theft, but wish there was a better explanation or announcement for next time. Thanks!