In a new paper published today, Professor Vitaly Shmatikov demonstrated how hackers can find out intimate information through shortened URLs, WIRED reports.

FOR ANYONE WITH minimalist tastes or an inability to use copy-paste keyboard shortcuts, URL shorteners may seem like a perfectly helpful convenience. Unfortunately, the same tools that turn long web addresses into a few characters also offer the same conveniences to hackers—including any of them motivated enough to try millions of shortened URLs until they hit on the one you thought was private.

That’s the lesson for companies including Google, Microsoft, and Bit.ly in a paper published today by researchers at Cornell Tech. The researchers’ work demonstrates the unexpected privacy-invasive potential of “brute-forcing” shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.

 Read the full article on WIRED.