It looks like you're new here. If you want to get involved, click one of these buttons!
Currently the unsubscribe link contains an unencrypted email address in the url. This url can be accessed by anyone to unsubscribe anyone else. Is there some (even basic) encryption that could be done on the email address when passed into the url to prevent this from being so obvious? Or maybe some use of the database to tag or salt user email addresses?
Sendy encrypts all IDs and emails in the URL with AES-256-CBC encryption method (used by the U.S. government to encrypt top secret documents) using openssl_encrypt / openssl_decrypt and hashed with your API key.
If you see the email address in the URL, that means your PHP version is either lower than 5.3 or your PHP does not have OpenSSL support. I checked and saw that you are on PHP 5.3.2, so it's not that. So I checked your PHP info and saw that you do not have OpenSSL.
You need to install OpenSSL if you want emails and IDs to be encrypted with openssl_encrypt / openssl_decrypt.
Once you have Open SSL installed for PHP, your unsubscribe link will look something like this: