Unauthorized use of signup form to transmit unsolicited email
April 19–20, 2026 · Status: resolved
What happened. Between approximately 2026-04-19 22:38 UTC and 2026-04-20 01:13 UTC, an unauthorized third party submitted a high volume of automated requests to the PERM Tracker public signup endpoint. The attacker placed unsolicited Turkish-language marketing content inside the submitted "name" field, causing that content to appear in standard transactional emails generated for the attacker- supplied recipient addresses.
What was affected. Approximately 139 attacker-chosen third-party email addresses received one or more messages. Upstream rate limits imposed by our email provider significantly constrained the volume that was actually transmitted. No customer data was accessed, viewed, exported, or modified. No existing PERM Tracker user accounts were affected.
Immediate action. The activity was identified and stopped on 2026-04-20 01:13 UTC. Additional safeguards were deployed the same day:
- Server-side input validation on the affected endpoint, rejecting requests containing external URLs, non-alphabetic abuse patterns, or excessive length.
- Transactional messages (welcome email and administrative notifications) are now generated only after email-verification is completed, preventing automated requests from triggering outbound email.
- Cloudflare Turnstile anti-automation challenge added to the signup endpoint with server-side token verification.
If you received an unexpected email. If you received a message referencing permtracker.app that you did not expect — particularly one containing a link or promotional content in Turkish — please do not click any links in that message. The content was not authorized by PERM Tracker, was not directed to you by us, and does not reflect our product or services. You may safely delete the email. You will not receive further messages from us unless you choose to sign up for an account directly at permtracker.app.
Coordinating with downstream providers.The phishing URL used in the attack has been reported to Google Safe Browsing, PhishTank, Netcraft, APWG, Bitly Trust & Safety, and Turkey's national CERT. Our email service provider has been notified proactively.