Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

Posted by Soulskill on from the you-can-lead-a-horse-to-water dept.

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

23 of 247 comments (clear)

  1. Is it fixed? by CncRobot · · Score: 5, Interesting

    Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

    1. Re:Is it fixed? by codegen · · Score: 4, Interesting

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      Maybe notify members of the list that the list has been compromised and they might be getting virus loaded emails?

      --
      Atlas stands on the earth and carries the celestial sphere on his shoulders.
    2. Re:Is it fixed? by Jah-Wren+Ryel · · Score: 4, Insightful

      They need to at least confirm to him that they took him seriously and are at least attempting to track down the leak so that no more addresses leak out. Chances are they've got at least one PC with malware harvesting email addresses. If that's the case, they probably have other malware too.

      --
      When information is power, privacy is freedom.
    3. Re:Is it fixed? by hedwards · · Score: 4, Interesting

      If they do acknowledge the problem, how would he know if it's fixed? Once the data is out there, it's out there. Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

    4. Re:Is it fixed? by Zaelath · · Score: 4, Interesting

      I'd bet my left nut "a well-known provider of tools for the Systems Administration community" is Atlassian, and they claim there's no issue.

    5. Re:Is it fixed? by t4ng* · · Score: 5, Informative

      Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

      Exactly. Datek or Ameritrade or TD Ameritrade, I forget at which point in their many buy-outs, has been repeatedly compromised in the past. At first they denied it and claimed that spammers had just guessed by email account. So each time I would create a new email account in my own domain consisting of a random collection of 12 letters, numbers, and punctuation marks. And each time they were compromised I would point out to them the impossibility of a spammer guessing my email account.

      Finally, they just started a policy of sending me an email saying they are investigating it but their company policy does not allow them to give me any details of their findings or what, if anything, they did to fix it.

    6. Re:Is it fixed? by Frojack123 · · Score: 5, Insightful

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      I agree, once its out, they are as powerless as the target is.

      As for his question:

      What would you recommend as my next course of action?"

      1) Kill the email account, such that all mail bounces.
      2) Create a new subscription account.
      3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

      --
      F. Robert Jack
    7. Re:Is it fixed? by Mattcelt · · Score: 4, Interesting

      I had exactly the same issue as the OP this past week, but with a Fortune 1000 company whose business model revolves around collecting and selling information about people.

      I contacted their information security department, and sent them the emails and headers at their request. I haven't heard from them since.

      The problem is that not only did I get emails to an address that only that company has; my social security number was also in the emails. So whoever got the emails got much more personal information as well. It's clearly a case where the company should be disclosing that they had a breach. If they don't, I'm going public with what I've got.

      These companies have a responsibility to the people whose information they hold.

    8. Re:Is it fixed? by ghmh · · Score: 5, Insightful

      I do the same thing as the author in the article. To confirm this you need to change the email address you received the spam from at the same time you notify the company.

      e.g.

      thecompany@yourdomain.com localaccount

      becomes

      #thecompany@yourdomain.com localaccount
      thecompany2@yourdomain.com localaccount

      If 'thecompany2' address gets spam they're still compromised. Repeat until fixed or you lose trust in 'thecompany'.

    9. Re:Is it fixed? by rtfa-troll · · Score: 4, Insightful

      An please note that there are other ways of compromising email addresses; e.g. using them in plaintext on a compromised access point or a mail server between you and the company but outside their control. If you want to proove this you have to be absolutely sure about the security of the address and check that every connection is (at least) encrypted.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Write threatening letters by nemesisrocks · · Score: 5, Interesting

    I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.

    The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.

    Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)

    1. Re:Write threatening letters by robbo · · Score: 4, Interesting

      +1. You have no reason to expect an acknowledgement if you just pass it 'up the food chain'. Put it in clear legalese and look forward to a reply from their lawyer. Most likely someone on the inside sold the list for chump change.

      btw did you consider that maybe it's you that's compromised? 8-)

      --
      So long, and thanks for all the Phish
    2. Re:Write threatening letters by erice · · Score: 4, Insightful

      The only solution I've found to be the most effective is sending these companies threatening letters.

      It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

      Make sure you are outside of your pristine glass house before you start throwing stones.

      This is incredibly easy to check. If it was local compromise, all addresses would be compromised, not just the one assigned to a particular company. Spam and viruses should be be pouring in to many many addresses. If it was just a single address assigned to a single company then you be pretty sure that it was their system compromised and not yours.

    3. Re:Write threatening letters by AK+Marc · · Score: 4, Interesting

      Has there ever, in the history of the modern Internet, been a proven case of someone "sniffing" something from "the Internet" (defined for this to be beyond the first provider and not as a part of the last provider), aside from government nodes? You might as well be afraid that the aliens are reading your thoughts from orbit.

      --
      Learn to love Alaska
  3. Move On by mrtwice99 · · Score: 5, Insightful

    What would you recommend as my next course of action?

    Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)

  4. Depends... by xlsior · · Score: 5, Insightful

    - How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com

    - Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

    1. Re:Depends... by ssfire · · Score: 5, Interesting

      Yup. When I set up an account with Ameritrade, I initially created an email address ameritrade@mydomain.com. Then I started getting spam on it. But the spammers might have guessed that email address. So I created a new non-guessable email address ameritrade_29478763@mydomain.com. But then I started getting spam on that. So I notified Ameritrade. No response, so I closed my account. A few months later, there was a news item that a trojan running on the Ameritrade servers had compromised 6.3 million email addresses.

  5. Public Shaming by Jah-Wren+Ryel · · Score: 4, Interesting

    It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.

    I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.

    --
    When information is power, privacy is freedom.
  6. Re:Geeks rarely rule the roost by arth1 · · Score: 4, Funny

    I just wonder what kind of System Administration list has a facebook page. The mind boggles.

  7. You're not helping, honestly by realmolo · · Score: 5, Insightful

    Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

    That's why you haven't got a response. They know, but there's nothing they can do.

    And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

    My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

    1. Re:You're not helping, honestly by hawguy · · Score: 4, Insightful

      Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

      That's why you haven't got a response. They know, but there's nothing they can do.

      And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

      My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

      Disclosing the data breach to everyone affected would be nice (and in some states is legally required), as well as letting customers know what data was breached..

      Of course, this assumes that they actually know how the data leaked and which customers were affected and they probably don't.

  8. Compromised, you sure? by dmomo · · Score: 4, Insightful

    Or they knowingly sold your address.

  9. Use This Thunderbird Plugin by Jah-Wren+Ryel · · Score: 4, Informative

    This does not directly address the question, but it is topical.

    I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin for thunderbird.

    It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.

    --
    When information is power, privacy is freedom.