After being informed by Bloomberg prior to publication of this story, CVS and St. Jude’s said affected pages had now been removed or were in the process of removal. Representatives for WebMD and Pine Hills Golf Club have not responded to multiple requests for comment.

Another explanation is that when a website operator creates an index of pages on their server to give to Google -- known as a “site map” -- pages that should be only visible by a customer can be accidentally included.

A spokesman for Alphabet Inc.’s Google said the company provides documentation to help webmasters prevent this happening, and that it only serves information available on the public web.

While individually the data may be seen as harmless, in the hands of a cyber-criminal it could be used fraudulently, said Melson.

Here’s a hypothetical way that could play out: A rogue caller phones an individual and recites details of a recent donation, when it was made and to whom it was sent, while claiming the method of payment failed. The vulnerable victim could then be persuaded to repeat the donation, but this time to the criminal’s own account. Or that person could be tricked into revealing a password to reconfirm an order, inadvertently submitting all the combinations of their commonly-used passwords into an attacker’s database.

Targeted email attacks have played roles in a number of online breaches. At least three 2018 U.S. congressional candidates have been hit with phishing attacks that strongly resemble Russian sabotage two years ago, Microsoft Corp.’s Tom Burt, corporate vice president for customer security and trust, said in July. In 2016, the U.S. Department of Justice said a 28-year-old man from Illinois was charged for using phishing scams to access the online accounts of celebrities, from which he stole personal -- and often sexually explicit -- photographs and videos.

Michela Menting, digital security research director at ABI Research, said low-level accidental data leaks occur frequently, but that they can be “as big an issue as a mass data breach, simply because it happens on a much broader scale and on a continuous basis.”

“It’s a sort of death by a thousand cuts if you will, rather than one critical wound,” she said. “It’s these small cuts and leakages that companies tend to brush aside, because they can’t see the larger picture.”

However, identifying the scale of the problem is difficult, and the degree of severity varies greatly between websites. There’s also little consistency between the number of people whose data is being exposed, and the potential customer base of the website making it available.

Such low-level data leaks represent a type of basic error companies, large and small, have been making for years. In April, U.S. bakery chain Panera Bread said it had fixed an exploit on its website that could have left the personal information of as many as 7 million customers available to scammers.