Most of our clients use Stripe for payments on our platform. They are connected via Stripe Connect. However a handful of them use other services from other providers as well also with Stripe Connect.
We are seeing web hook events not just for our own platform but also the other platforms too which obviously includes details about the transaction but also often with personally identifiable information such as name, email, address, telephone number.
Your support team acknowledged that they are aware of the issue. The response was:
"Because of how the design of the connected accounts are, any events from that connected account will be sent to all Platforms that the account is connected to. We do understand and see how this is a potential security/safety issue, and we have made note of this to our Connect team.
While we do not have any current plans to adjust this, we are going to discuss things with our Connect team to see if there is a way to we can make this better for our users."
I personally consider this a massive data leak because potentially sensitive information about customers is being shared to companies who have no right to access that information.
I really hope you can look into this.
Regards, Will