Some reports have observed that sensitive data has been disclosed in URLs for Symantec Web Email Protection. 

The only data that has been disclosed is that of the email address of the recipient receiving the email.  For example, when a Symantec Web Email Protection user receives a passphrase reset email, the URL is customized for that user and contains portions of the user's email address, however this is the same email address the passphrase reset email is being sent to.  Furthermore, if an attacker has access to a client machine or device, which is required to obtain information above and beyond the normal email communications, more serious attacks are possible beyond knowing what email address is available.

Because this is the case, the threat is extremely low, and no sensitive information is actually being disclosed in the URL that is not already known.

Etrack: 3840609