Magento Sends New Order Email to Other Customers

A Magento store owner approached me recently with a very embarrassing problem. Each time a customer placed a new order, the confirmation email was also being sent (cc’d) to other customers! This meant that some customers were able to see what other people had ordered and their name & address details, etc. Not good!

The origin of the problem seems to be how Magento 1.9 uses a cron to send out emails. To quote a StackOverflow user:

The new Magento Email Queue system manages these two tables: core_email_queue and core_email_queue_recipients. The former one handles the email Messages, and the later one, the Recipients of these messages. 1

What I think happened in this instance is that the cron failed, leaving orphaned recipients in the database table core_email_queue_recipients. The cron job should clear this table each time an email is sent out. The result of this failure is that new order confirmation emails are then dispatched to all recipients left in this table.

The quick way to resolve this problem is to delete (truncate) all the rows in the table core_email_queue_recipients. This clears up the problem – until it happens again!  The longer term answer is to add a foreign key constraint on the table that ensures rows get cleared and no orphan records remain in core_email_queue_recipients. This is not something for the feint-hearted to attempt.