An Essential email account asked some customers to verify their identity by sending back a picture of a photo ID, according to a report from The Verge.
That’s an odd request for a vendor to ask of its patrons — it smells suspiciously of a phishing scam — but with all of Essential’s false starts, it might not have seemed out of line for fans who’ve waited for their phone since May.
The customer responses weren’t just sent back to the Essential account, though. Instead, messages went to everyone who received the original email, creating a thread filled with sensitive personal information.
Redditor Cygnosity posted the full text of the message to the r/Essential subreddit. He wrote that most of the replies to the thread were order cancellation requests, and that he was “absolutely done with this company.”
It’s unclear exactly why the message kicked back everyone’s response if it wasn’t a phishing attack, but according to some sleuthing by redditor Ronnie Schnell, the email account was legit. He thinks it was a screw-up by Essential, which could have somehow misconfigured a customer support address on Zendesk, a customer service portal.
Some redditors are postulating that the message was indeed a phishing attack, sent out by a disgruntled Essential employee or someone else with access to the company’s official channels. Whatever the case, multiple people responded to the message with their personal information, so this is a serious breach of consumer security and trust.
Essential’s only public response to the fiasco thus far is a tweet, which seems to acknowledge that the company has been able to take some action, but doesn’t share much else.
We’re aware of & looking into a recent e-mail received by some customers. We’ve taken steps to mitigate & will update with more info soon.
— Essential (@essential) August 30, 2017
We reached out to the company for some more details about the situation and asked what exactly is being done to “mitigate” the issue. Essential hasn’t responded to our requests for comment.
Essential is likely working in overdrive to clear up the situation, but it might be too late for the company to regain the trust of its customers.