asumansenol/Sample email - Third Party

## Sample email - Third Party
Hi,

[We would appreciate if you could forward this message to your information
security personnel.]

We are researchers from KU Leuven (Belgium), currently studying personal
data collection on popular websites.

During our research we came across incidental password collection by Yandex
Metrica on around 50 websites, including popular websites such as championat.com,
olymptrade.com, exness.com, and toyota.ru.

On these websites, when a user types in their password, Yandex Metrica’s session
replay feature immediately collects and sends the password to a URL starting with
mc.yandex.ru/webvisor. The user does not need to submit the form for the collection
to happen. The password is collected almost key by key, while the user is typing.

We understand that Yandex Metrica does not intentionally collect these passwords.
Analyzing a sample of the websites with this issue (see the list below), we noticed
that almost all of them were built using React.js. So we believe the passwords are
collected due to an interaction between Yandex Metrica and React. Unfortunately we
did not have time to fully confirm this hypothesis, but we are sharing the list of
webpages on which we observed password collection. We hope that the list will help
you identify and address the problem.

We would appreciate if you could let us know when you release a fix for the problem.
We’ll be happy to confirm the solution on a sample of websites.

Feel free to let us know if you need any more details from us.

Kind regards,

PS: To be perfectly clear, we have not observed or captured any user data
in our study. Passwords on the following pages are directly sent to Yandex.

The list of pages where Yandex Metrica incidentally collects passwords:
https://www.championat.com
https://olymptrade.com
https://my.exness.com/accounts/sign-in
https://ctc.ru/auth/
https://passport.travelpayouts.com/
https://www.giraff.io/login
https://ib.open.ru/webbank/#/login
https://www.sibnet.ru/
https://expertoption.com/
https://bitmedia.io/app/sign-up
https://secretmag.ru/
https://fboom.me/auth/login
https://lingualeo.com/ru
https://mybook.ru/
https://www.forumhouse.ru/auth/register
	Hi,

	[We would appreciate if you could forward this message to your information
	security personnel.]

	We are researchers from KU Leuven (Belgium), currently studying personal
	data collection on popular websites.

	During our research we came across incidental password collection by Yandex
	Metrica on around 50 websites, including popular websites such as championat.com,
	olymptrade.com, exness.com, and toyota.ru.

	On these websites, when a user types in their password, Yandex Metrica’s session
	replay feature immediately collects and sends the password to a URL starting with
	mc.yandex.ru/webvisor. The user does not need to submit the form for the collection
	to happen. The password is collected almost key by key, while the user is typing.

	We understand that Yandex Metrica does not intentionally collect these passwords.
	Analyzing a sample of the websites with this issue (see the list below), we noticed
	that almost all of them were built using React.js. So we believe the passwords are
	collected due to an interaction between Yandex Metrica and React. Unfortunately we
	did not have time to fully confirm this hypothesis, but we are sharing the list of
	webpages on which we observed password collection. We hope that the list will help
	you identify and address the problem.

	We would appreciate if you could let us know when you release a fix for the problem.
	We’ll be happy to confirm the solution on a sample of websites.

	Feel free to let us know if you need any more details from us.

	Kind regards,

	PS: To be perfectly clear, we have not observed or captured any user data
	in our study. Passwords on the following pages are directly sent to Yandex.

	The list of pages where Yandex Metrica incidentally collects passwords:
	https://www.championat.com
	https://olymptrade.com
	https://my.exness.com/accounts/sign-in
	https://ctc.ru/auth/
	https://passport.travelpayouts.com/
	https://www.giraff.io/login
	https://ib.open.ru/webbank/#/login
	https://www.sibnet.ru/
	https://expertoption.com/
	https://bitmedia.io/app/sign-up
	https://secretmag.ru/
	https://fboom.me/auth/login
	https://lingualeo.com/ru
	https://mybook.ru/
	https://www.forumhouse.ru/auth/register