diff --git a/public/app.js b/public/app.js
index 87e1b68..684778b 100644
--- a/public/app.js
+++ b/public/app.js
@@ -111,8 +111,17 @@ function updateConnectionStatus(connected) {
 
 // Charts
 function initCharts() {
+    // FIXED: Fallback if Chart.js blocked by tracking prevention
     if (typeof Chart === 'undefined') {
-        console.warn('Chart.js not loaded')
+        console.warn('[Charts] Chart.js not loaded (may be blocked by tracking prevention)')
+        var pointsCanvas = document.getElementById('pointsChart')
+        var activityCanvas = document.getElementById('activityChart')
+        if (pointsCanvas) {
+            pointsCanvas.parentElement.innerHTML = '<div style="padding: 2rem; text-align: center; color: #8b949e;">Charts unavailable (Chart.js blocked by browser)</div>'
+        }
+        if (activityCanvas) {
+            activityCanvas.parentElement.innerHTML = '<div style="padding: 2rem; text-align: center; color: #8b949e;">Charts unavailable (Chart.js blocked by browser)</div>'
+        }
         return
     }
     initPointsChart()
@@ -634,7 +643,7 @@ function executeSingleAccount() {
         .then((data) => {
             if (data.success) {
                 showToast('✓ Bot started for account: ' + maskEmail(email), 'success')
-                loadStatus()
+                refreshData() // FIXED: Use refreshData() instead of undefined loadStatus()
             } else {
                 showToast('✗ Failed to start: ' + (data.error || 'Unknown error'), 'error')
             }
diff --git a/src/dashboard/state.ts b/src/dashboard/state.ts
index 3c47cec..a970ae5 100644
--- a/src/dashboard/state.ts
+++ b/src/dashboard/state.ts
@@ -125,11 +125,19 @@ class DashboardState {
   }
 
   private maskEmail(email: string): string {
-    const [local, domain] = email.split('@')
-    if (!local || !domain) return email
-    const maskedLocal = local.length > 2 ? `${local.slice(0, 1)}***` : '***'
-    const [domainName, tld] = domain.split('.')
-    const maskedDomain = domainName && domainName.length > 1 ? `${domainName.slice(0, 1)}***.${tld || 'com'}` : domain
+    const parts = email.split('@')
+    if (parts.length !== 2) return '***@***'
+    
+    const [local, domain] = parts
+    if (!local || !domain) return '***@***'
+    
+    // SECURITY: More aggressive masking to prevent account enumeration
+    const maskedLocal = local.length <= 2 ? '**' : local.slice(0, 2) + '*'.repeat(Math.min(local.length - 2, 5))
+    
+    const domainParts = domain.split('.')
+    const tld = domainParts.pop() || 'com'
+    const maskedDomain = domain.length <= 4 ? '***.' + tld : domain.slice(0, 2) + '***.' + tld
+    
     return `${maskedLocal}@${maskedDomain}`
   }