Sites Leaking Users' Email Addresses

Pisang writes "CNet is running a story about how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."

Disposeable hotmail accounts, anyone?

All the more reason to have a disposeable hotmail account. Only some few personal friends have my "real" email. I've been doing this for years, and never get any spam.

Re:Disposeable hotmail accounts, anyone?

[zallus]

Here's some blatant avertising for a spam protection service I use, http://spamgourmet.com/. You pick out an address to fill in in servicekey.messages_allowed.accountname@spamgourme t.com format, and it forwards messages_allowed messages from the servicekey account, then discards all further ones. I use this for a gmail account I have, and I've never gotten a single spam message to it. Ever.

I love challenge/response!

[mjh]

I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA) I just don't care. I give anyone my email whenever they want. I register on websites with an address that expires. So it works for long enough for them to send whatever it is that I need from them and then stops working after that.

Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.

IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of /.

(FWIW, I fully understand the argument that says that C/R is bad. I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R.)

HOW does this help?

[argent]

What they need to do is require four secret questions, all needing to be answered correctly to go on.

As soon as they get the FIRST question they have the information they need, that this is a valid email address.

If you don't put the email address in in the first place, then you don't need any secret questions at all.

Gmail

Just add "+$SUFFIX" to your username. Example: username+somplaceregistration@gmail.com Then if you start getting spam at that address, jsut adda filter to delete mail to the "+someplaceregistration" suffix. Unfortuantely, some sites don't accept email addresses with "+" in them.

Re:register with

[theguyfromsaturn]

I just use my Yahoo Address Guarded account for this kind of stuff. Address guard is neet. You do get the registration e-mail and you can reactivate the specific e-mail that will get your forgotten password when you need it, and deactivate it at all other times. If you don't know about the Address Guard, go to your Yahoo mail, and under Options go to address guard and read the explanations. I highly recommend it. I have one, "basename"-forgottenpasswords@yahoo.com that I use for this specific case. Once the account is created with hta ID and you've replied to the e-mail, you can erase that entry (and never receive e-mail there). If you forget your password, go back to AddressGuard, add forgottenpasswords (or whatever you choose to call it) as one of your addresses, and on the site request your address again. It has changed the way I e-mail. Nobody gets my Yahoo ID based name. All get base-name, extension name compound addressguard address. It makes disposing of undesireable e-mails very very easy.

Got a Wikipedia Account? Vandals Got Your Password

As an on-again, off-again Wikipedian responsible for countless edits as well as several full articles, I used to be happy to leave administrative matters there to others. Such was my bliss, anyway, until I stumbled upon something extremely troubling--something that forced upon me an awareness of the project's astonishingly careless attitude toward privacy and security. This is the product, apparently, of an obsession with countering vandalism so all-consuming that administrators are even willing to expose unlucky bystanders to identity theft.

This is what I discovered.

A Wikipedia developer, intending to catch sockpuppet accounts (multiple accounts created by the same individual), queried the user database for a list of accounts whose passwords matched passwords belonging to known vandals and trolls. Hoping the results would be useful to others, he published his findings on his user page. Of course, such a list necessarily included anyone who happened to be using, merely by coincidence, the same passwords as the targeted individuals. As a matter of fact, it seems likely that the dragnet caught at least some people by chance alone. But only the people on the list could know for sure.

That in itself sounds unfortunate, but none too dangerous. The horrifying punchline is this: in publishing the results of his query, the developer had effectively given these vandals and trolls a list of usernames with whom they shared a password. And once so equipped, the vitals of each compromised account--including the email address--were just a login away.

Leaking people's passwords, usernames, and email addresses to anyone is damaging enough, let alone to established miscreants.

Anywhere else, a mistake like this would be acknowledged, the offending information removed, and the potential victims notified. Not so on Wikipedia, where the list spawned nothing but a protracted debate and then a vote to remove the page. In a second blow to Wikipedia's reputability--the first being the mistake itself--the vote finally succumbed to addled logic and shortsightedness, as did a motion to restrict its visibility to site administrators. And so the page has remained linked and visible now for almost a full year, a threat to any innocents listed therein and an affront to anyone with an interest in their privacy and personal security.

Imagine if you were on that list. (In fact, maybe you are.) Wouldn't you wonder how it was possible for Wikipedia to expose your password to malicious users for the better part of a year? Wouldn't you marvel that no one had alerted you?

I don't mean to single anyone out here, which is why I've refrained from mentioning the name of the careless developer. The real indictment, in my view, is of the process that:

1. Allowed such an egregious breach of privacy;
2. Failed to correct it, even after it came to attention;
3. Failed to notify those whose passwords had been leaked.

It is my opinion that this incident is only symptomatic of a larger problem: Wikipedia's tradition of policymaking by ad hoc polling. It is also, perhaps, a harbinger of disasters to come. A draft privacy policy offers some hope, but interest in its adoption appears to have stagnated.

For the foreseeable future, then, it would be unwise for anyone to entrust their privacy to the Wikipedia site, when the project's developers and administrators have so clearly demonstrated a severe unfitness to guard it, to say nothing of a callous contempt for the real-world safety of contributors.

----
Note: If my anonymity gives you pause to question my credi