Slashdot Mirror

← Back to Stories (view on slashdot.org)

Epsilon Data Breach Bigger Than Just Kroger Customers' Data

Posted by timothy on from the trade-loyalty-cards-and-email-addresses dept.

wiredmikey writes with an update to the previously reported Epsilon breach: "It turns out that Kroger is only one of many customers affected by the breach at Epsilon, which sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10, to build and host their customer databases. It has been confirmed that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands, a list which continues to grow ..." An anonymous reader points out that U.S. Bank is on the list of affected companies; I wonder how many more phishing attempts this will mean.

4 of 115 comments (clear)

  1. Re:Only Names and Emails? by LostCluster · · Score: 5, Informative

    This wasn't a marketing company, it was an e-mail delivery service. It takes a lot of work to deliver thousands of customized e-mails to a customer base. To get it right, you have to learn the SMTP acceptance policies of various ISPs, deliver up to the limit, and then back off until the timeout resets.

    This just goes to show why you only give database slices away, all they needed was the text of the e-mail with the variable spots included, the name to put in the variable slot, and the address to send it to.

    It's a spammer's dream to get this many active e-mail addresses released, but it's not the kind of thing that should cause much damage.

  2. US Bank Email by Anonymous Coward · · Score: 3, Informative

    Here is the US Bank email I just got...

    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

    We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

    Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
    http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

    In addition, if you receive any suspicious looking emails, please tell us immediately.
    Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

    The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

  3. if their security is as good as their programmers by coutch · · Score: 5, Informative

    .... then we're in trouble

    I ran into their awful code back in August, when I was trying to sign in for a Sears email special (hey, I need some cheap tools ...)

    the page is still there:
    http://www.sears.com/shc/s/dap_10153_12605_DAP_Get%20Connected?adCell=WF

    It wouldn't validate my password (say ... for example, "ab1cd2ef"), even though it met all the requirements:

    "Password must be at least 8 characters, contain at least one number and one character, not start with a number and not contain any
    special characters."

    so I dug in a little, and found quite a gem of Javascript !
    if (/^[a-zA-Z]+[0-9]+[a-zA-Z]*$/.test(oPass.value) == false) {
                    alert(invalidMsg);
                    oPass.focus();
                    return false;
            }

    it won't handle the two numbers ...

    try it ... go to the sears link up there, and try registering with a password like ("ab1cd2de") ... don't worry, it won't work, so your (hopefully fake) email will be safe ...

    if you want to see what's happening, have a look at the script.js file, and searh for the function verifyPass() ...
    you can even see some commented out code of their previous attempts at implementing this basic functionality ...

    I emailed Sears back in August, telling them where the error was, and a simple way to fix the regex used ... but all I got was an "out of office reply"

    ah we.. I still managed to register after all, and have bought a few tools on sale ...

  4. Re:if their security is as good as their programme by Anonymous Coward · · Score: 2, Informative

    Actually, the signup.aspx is in an iFrame on Sears that is pulled from Epsilon.com. So yes, Epsilon is the coder of the crap. A simple series of Test cases and some Googleing could have fixed that.

    I too hate that when you are browsing a site that got something wrong and you try to point out how to fix it, since you are a customer and would like it to work in your browser of choice, and the company totally blows you off. When somebody gives you that detailed of an explanation about your problem, you should listen to them since they probably know what they are talking about. At least give it a try.