Holiday Extras is investigating how the email addresses of nearly 5,000 of its customers were wrongly shared online.
It is contacting 4,852 customers to tell them about the security breach, which it blamed on a mistake by one of its marketing partners.
In a note to its customers, Holiday Extras assured them that their payment details and passwords were not exposed and said the issue has now been resolved.
CEO Matthew Pack said the links containing customer email addresses were showing between March 10 and April 16 on the Open Site Explorer service of MOZ, a marketing and SEO software company.
He said he believes the mistake was made when Bit.ly, which operates a URL shortening and redirection service, signed a partnership with MOZ on March 10.
"We have accounts with both bit.ly and MOZ. Bit.ly appear to be sharing private links, which are being picked up by the Moz Open Site Explorer service. Bit.ly announced a partnership with Moz on March 10th and it appears they’ve made a mistake sharing private links," said Pack.
"The private links have been shared with anyone paying $99 a month to access the MOZ Open Site Explorer service."
He said Holiday Extras has stopped using the Bit.ly service while it investigates the matter. Meanwhile, MOZ is also looking into it and has purged the data exposed in error.
"This is a serious issue that I am confident we are giving appropriate attention," Pack added.















