Subscriber exists - all fields populated with just email address

We have an existing Subscribe form where if a member inputs their email address and if they already exist they are redirected to a page that populates all the other fields for that member (e.g. First/Last, Member number, subscribed segments etc.). The user can then update the details as required and "Update profile". All good - except if someone knows another person's email address, they can find out all the other details including member number and change any or all of the details. There appears to be no double opt-in for changes to the record which can be a security issue. Can you please confirm if this is possible?
 
Is this actually a problem in the real world beside the theory? I haven't seen this to be a problem ever since running mailwizz, that is more than 7 years by now. I think the same applies for the other services as well, not just MailWizz.
If we were to implement something against this, what do you have in mind?
 
I don't know about this, it seems that we would enter another layer of complexity to make something more complex than it should be.

Anyone else wants to share their ideas about this?
 
Back
Top