What are the risks of including email addresses as URL parameters?

Email marketer from StackExchange shares that including email addresses in URLs can lead to spam if bots crawl and index those URLs. Additionally, it can expose email addresses if the URL is shared or logged.

Email marketer from Information Security Forum explains that sending PII as URL parameters has the risk of exposing it in webserver logs, browser history, and the HTTP Referer header.

Marketer from Email Geeks explains that including PII in query strings is negligent and likely an issue with company terms of service/privacy policy.

Marketer from Email Geeks explains this is a huge concern, OWASP details the risks, and recommends to NOT DO THIS.

Email marketer from Reddit explains that including email addresses in URLs is bad practice as it will pass the email to any site the user clicks through and ends up in server logs.

Email marketer from StackOverflow explains that using a url like `example.com/unsubscribe.php?email=email@example.com` puts this information in the server logs.

Email marketer from InfoSec Exchange states that including PII in urls exposes the information to anyone who has access to the server logs, browser history, or shares the link. Also it increases the risk of a phishing attack

Email marketer from Troy Hunt's Blog explains that email addresses in URLs can leak personal information through referrer headers, potentially exposing user data to third-party websites and analytics services.

Email marketer from Medium explains that the risks of having personal data in the querystring include passing PII to 3rd party trackers, logging in plaintext, and exposing data via the browser history.

Expert from Email Geeks shares they have seen email address leaking into Google results from query strings in the past.

Expert from Word to the Wise explains that using PII in URLs is generally a bad idea and provides an example of a case where using an email address in a URL resulted in a spammer using the URL to unsubscribe a user from various lists, causing problems for the user and making it more difficult to track the source of the spam.

Expert from Email Geeks explains that putting PII in plain text is a violation of Google Analytics' TOS and leaks the email to potential plugins or intermediary sites.

Expert from Email Geeks shares that including PII in email URLs is bad because it leaks email addresses into server logs and analytics tools.

Documentation from Veracode explains that storing sensitive data in the URL can lead to security problems, such as exposing the data in server logs and browser history, and recommends to not store PII in url parameters.

Documentation from SANS Institute explains that referrer headers can leak sensitive information when URLs contain personal data. This can be mitigated by avoiding the inclusion of sensitive data in URLs or by using techniques to control the referrer header.

Documentation from Mozilla explains that the Referer header can expose the URL of the previous page, potentially leaking sensitive information if the URL contains personal data. This can be mitigated by using a Referrer-Policy header to control what information is sent in the Referer header.

Documentation from OWASP explains that sensitive information in query strings can be exposed in several ways, including browser history, server logs, referrer headers, and shoulder surfing. This exposure can lead to security vulnerabilities and privacy breaches.