Earlier today at 2:31PM EST, NightDev received notice of an abusive user using the payment API on Stream Donations to create a log of many users’ email addresses.
This abusive user snatched a batch of 1500 emails and posted them publicly online, associating them with their respective owners by Twitch username.
While it sounds worse than it is, it is important to note that there was no security breach. The API was functioning as designed (by redirecting users to PayPal to pay, we must pass along the business email [or merchant id] to send the payment to). Other donation tracking sites like Im Raising share this same problem.
But, out of concern for our users (some users had been using their personal email addresses), we decided that it would be best to retroactively remove all emails and start requiring the use of Merchant IDs so that the payment API could not be abused going forward. Merchant IDs allow PayPal to associate payments to you, while not showing your PayPal email when we redirect users to pay you.
As of 4:40PM EST, both Streamtip and Stream Donations were changed to force users to use Merchant IDs.
I’ve posted a guide on finding your Merchant ID on PayPal’s website, as well as some other helpful tips concerning your PayPal email on this thread.
If you have any questions or concerns about this incident, feel free to direct them to the Contact form.