Essential 'phishing attack' was just sloppy email practice [Andy Rubin responds]

Update 2: Essential CEO Andy Rubin has confirmed that yesterday's slip-up was due to a misconfiguration with one of the customer care emails. The company has disabled that particular account, and is adding in safeguards to prevent a similar occurrence in the future:

Yesterday, we made an error in our customer care function that resulted in personal information from approximately 70 customers being shared with a small group of other customers. We have disabled the misconfigured account and have taken steps internally to add safeguards against this happening again in the future. We sincerely apologize for our error and will be offering the impacted customers one year of LifeLock. We will also continue to invest more in our infrastructure and customer care, which will only be more important as we grow.

Being a founder in an intensely competitive business means you occasionally have to eat crow. It's humiliating, it doesn't taste good, and often, it's a humbling experience. As Essential's founder and CEO, I'm personally responsible for this error and will try my best to not repeat it.

I remain heartened and motivated by the groundswell of support that Essential has experienced since unveiling the company on May 30th. We continue to believe deeply in our vision and the innovation we are bringing to life via our Home, Phone and 360 Camera products. I humbly thank our customers and channel partners for your patience and understanding as we proceed with the launch of our first products.

Update: It appears that Essential had a misconfiguration of their customer support software (Zendesk in this case) that caused emails to be blind copied (BCC:) to everyone on a customer mailing list who needed to provide more information. Other reports of fraudulent charges and a compromised customer database are as of yet unconfirmed.

The Essential Phone is finally going out to customers after lengthy delays, but the company isn't done with its share of controversy yet. An email that's going out to customers from an Essential support account (customercare@essential.com) is soliciting additional information in the form of a photo ID to process shipments. While the address itself is legitimate, it looks like the company's customers have been targeted by a phishing attack.

Judging by the responses to the Reddit thread, the hacker found a way into the company's mailserver. Here's the email in its entirety:

Hi,

Our order review team requires additional verifying information to complete the processing of your recent order. 

This verification is performed to protect against unauthorized use of your payment information and similar to what is conducted for in-person purchases. 

Please provide an alternative email and phone number to confirm this purchase..

We would like to request a picture of a photo ID (e.g. driver's license, state ID, passport) clearly showing your photo, signature, and address. NOTE: the address on the ID should match the billing address listed on your recent order.

We apologize for the inconvenience and appreciate your cooperation.  Once verified, we look forward to shipping your order.

Thanks!

Essential Products Customer Care

For its part, Essential has mentioned that it has taken steps to "mitigate the issue:"

Did you receive an email from Essential requesting verifying information?