If you have a Stripe account, I recommend that that you protect your account: send email to [email protected] with this text "Please add protection to my account such that when someone reports a breach, such as reporting that Stripe is sending my information to an unauthorized third party, that Stripe notifies me via my email on record and also my phone number on record."

I am using coordinated disclosure. https://github.com/joelparkerhenderson/coordinated_disclosure

I alerted Stripe on 2018-10-22 via Stripe's published security methods, and provided specific proof. The Stripe responses to multiple requests for security help are e.g. "Due to security procedures we cannot access to your account regarding the email." and "We need to speak with the person that is listed as the company representative for security purposes."

If you work for Stripe, please alert your security team that many more of your users will be at risk. To find the issue and stakeholders, your security team can search the support email for this unique id: e6d0fcf38cb3fa886734eb36bc30e20d

If you are a security researcher and want to help, my email is [email protected].