The 19-year-old cybersecurity researcher who remotely accessed dozens of Tesla Inc vehicles through a third-party flaw, has a new trick: hacking the car owners’ email addresses to notify them they’re at risk.

Earlier this month, David Colombo discovered a flaw in a piece of third-party open source software that let him remotely hijack some functions on about two dozen Teslas, including opening and closing the doors or honking the horn. In trying to notify the affected car owners, he then found a flaw in Tesla’s software for the digital car key that allowed him to learn their email addresses.