Home Depot Says Hackers Grabbed 53 Million Email Addresses

← Back to Stories (view on slashdot.org)

Home Depot Says Hackers Grabbed 53 Million Email Addresses

Posted by samzenpus on Thursday November 6, 2014 @12:33PM from the reply-all dept.

wiredmikey writes Home Depot said on Thursday that hackers managed to access 53 million customer email addresses during the massive breach that was disclosed in September when the retail giant announced that 56 million customer payment cards were compromised in a cyber attack. The files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information, the company said. The company also said that the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.

62 of 99 comments (clear)

Min score:

Reason:

Sort:

Home Derpot by sexconker · 2014-11-06 12:44 · Score: 1

Derp
brick and mortar stores by turkeydance · 2014-11-06 12:50 · Score: 2

consistently reinforce their legacy retailing status.
1. Re:brick and mortar stores by Anonymous Coward · 2014-11-06 13:00 · Score: 1
  
  Its not easy, though, to buy plywood or 2x4 online.
2. Re:brick and mortar stores by xaotikdesigns · 2014-11-06 13:12 · Score: 1
  
  It is?
  
  --
  XDInd
3. Re:brick and mortar stores by Jeremy+Erwin · 2014-11-06 15:14 · Score: 1
  
  Why yes, I do want free two day shipping with Amazon Prime!
4. Re:brick and mortar stores by slazzy · 2014-11-06 16:03 · Score: 2
  
  I'm not sure that overpriced little 6" to 12" bits of plywood for crafts counts as buying wood online. I guess if you're into building dollhouses.
  
  --
  Website Just Down For Me? Find out
5. Re:brick and mortar stores by SeaFox · 2014-11-06 17:13 · Score: 2
  
  You are aware the measurements of that wood are in inches right?
6. Re:brick and mortar stores by frank_adrian314159 · 2014-11-07 00:42 · Score: 2
  
  I'll just hire some little people to dance around it once I'm done.
  
  --
  That is all.
7. Re:brick and mortar stores by MachineShedFred · 2014-11-07 02:24 · Score: 1
  
  Yeah, show me a 4 foot by 8 foot sheet of wallboard, or a 50-gallon water heater on Amazon.
  Didn't think so.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
8. Re:brick and mortar stores by Chris+Mattern · 2014-11-07 03:45 · Score: 1
  
  Yeah, show me a 4 foot by 8 foot sheet of wallboard, or a 50-gallon water heater on Amazon.
  Didn't think so.
  The wallboard is indeed nowhere to found, but you can get the water heater: http://www.amazon.com/Rheem-PR...
Home Depot is getting off cheap by hamjudo · 2014-11-06 12:52 · Score: 5, Interesting

TFA says that Home Depot expects to pay "$62 million this year to recover from the incident", referring to exposing the details on 56 million credit cards. That's only $1.11 per exposed card. I used a credit card there during the period, so my Credit Union sent me a new card, plus two other physical letters about the incident. That had to cost them more than $1.11 per affected customer.
1. Re:Home Depot is getting off cheap by xaotikdesigns · 2014-11-06 13:16 · Score: 2
  
  Did your credit union send the letters, or did Home Depot?
  Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.
  
  --
  XDInd
2. Re: Home Depot is getting off cheap by tysonedwards · 2014-11-06 15:27 · Score: 1
  
  There are however these thingamajigs called stamps that are required when sending a physical letter to someone.
  
  --
  Thirty four characters live here.
3. Re:Home Depot is getting off cheap by BradMajors · 2014-11-06 15:29 · Score: 2
  
  Stolen credit card numbers are easily fixed. The thieves have stolen information which can be used for identity theft which is much much harder to fix.
4. Re: Home Depot is getting off cheap by xaotikdesigns · 2014-11-06 15:33 · Score: 1
  
  Yeah, I included them in my calculations
  
  --
  XDInd
5. Re:Home Depot is getting off cheap by cdrudge · 2014-11-07 01:31 · Score: 1
  
  My credit union sent me two snail-mail letters as well as two emails telling me my card likely was included in the breach. They then sent me, via Visa, a new card. Even after I had already activated it, they sent me two follow up letters, one to say that I should have already received my card and that even if I hadn't, my old card would be deactivated on a date, and then on that date I received a letter saying it was deactivated.
  If I'm reading USPS.com right, the cheapest first class letter rate is for an 5-digit zip sorted/trayed automation letter at $.381/letter which cost my credit union $1.905 in postage before even factoring in printing and stuffing the envelops, replacement card costs, and the employee costs for doing all the above.
6. Re: Home Depot is getting off cheap by xaotikdesigns · 2014-11-07 01:37 · Score: 1
  
  So your original point was the expense to your credit union, and not Home Depot? I thought you were saying Home Depot was paying for all that.
  
  --
  XDInd
7. Re: Home Depot is getting off cheap by MachineShedFred · 2014-11-07 02:26 · Score: 1
  
  And there's also a thing called "metered postage" which is far cheaper than using stamps if you send out the kind of mail volume that a bank does.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
8. Re: Home Depot is getting off cheap by cdrudge · 2014-11-07 03:05 · Score: 2
  
  The cheapest first class metered mail for pre-sorted by 5 digit zip code is about $.38/letter. It's cheaper, but I wouldn't say "far cheaper". Standard class bulk mail (aka junk mail) goes cheaper, but can't be used for personalized correspondence, sending out replacement credit cards, etc.
9. Re: Home Depot is getting off cheap by cdrudge · 2014-11-07 03:09 · Score: 1
  
  I wasn't the one that make the original post, but yes, it's an expense to my credit union (and everyone else's credit union or bank) for something that they won't be reimbursed by Home Depot. The cost for Home Depot was what it cost them to investigate the breach, fix it, replace terminals, etc, as well as damage control, credit monitoring for the victims, etc.
10. Re:Home Depot is getting off cheap by david_thornley · 2014-11-07 10:50 · Score: 1
  
  No, Home Depot is externalizing that cost. If they had to pay to reissue each card lost, plus some money to cover the customer's extra trouble while changing card numbers, they'd be paying more than $62M.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I would never give Home Depot my address... by mi · 2014-11-06 12:53 · Score: 5, Informative

I do remember the face of a nice cashier lady in a rural Home Depot — she asked me to "sign up for free" and I refused. It genuinely offended her, though she remained professionally nice... Maybe, now she understands.
And when you have to — or, despite the risks, want to — register with some company, always use an address like yourid+companyname-year@example.com. The nifty feature supported by most mail-servers will still deliver the message into your mbox, but you'll be able to block a particular address, when it gets stolen (or when the party you gave it to in the first place turns to spamming).
GMail supports the feature, Yahoo! Mail might too.
(Of course, owners of their own domains have the infinite supply of even nicer-looking addresses.)

--
In Soviet Washington the swamp drains you.
1. Re:I would never give Home Depot my address... by ls671 · 2014-11-06 13:22 · Score: 1
  
  I just say I don't have an email address. I do use throw away email addresses when really needed to register to on line sites. Even my bank doesn't have my email address.
  Profession: IT consultant
  Your email: I don't have one!
  Hehe...
  
  --
  Everything I write is lies, read between the lines.
2. Re:I would never give Home Depot my address... by drphilngood · 2014-11-06 13:33 · Score: 1
  
  That's one of the reasons that I find mailnull.com to be indispensable. It allows you to create throwaway email addys at a moments notice and if you include the name of the site in the newly created email, you can easily delete the email and never visit their site again. Mailnull's spam filters are superb, as well. Can't ask anything more from a free service.
  
  --
  ~comfortably numb~
3. Re:I would never give Home Depot my address... by antdude · 2014-11-06 13:47 · Score: 1
  
  Where do you set that up on Gmail? I never knew that!
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
4. Re:I would never give Home Depot my address... by mi · 2014-11-06 13:52 · Score: 1
  
  This may be good enough for companies, that force registration needlessly. But there are other cases. Say, you buy something online — and want to get order confirmation and tracking number by e-mail? Or want your transit (bus or train) to warn you, they have a problem before you leave the house...
  There are plenty of legitimate reasons to give your address to other people and companies alike and using "throw-away" addresses is not a good way to keep in touch. My way all of the message still arrive to your normal account. But, by giving a unique address to each party, I can always block one sender without abandoning the "throw-away" account — and all the other, perfectly decent, correspondents, who also know it.
  
  --
  In Soviet Washington the swamp drains you.
5. Re:I would never give Home Depot my address... by c0d3g33k · 2014-11-06 13:59 · Score: 1
  
  You don't have to set anything up - just use the address tag when you supply an email address. It's still a valid email address (see link below), so will still get delivered to your inbox. The extra information in the tag/extension makes the address unique (if you made the tag info unique), so can be used to filter messages, sort them to subfolders etc. depending on what your mail provider supports. Different providers support different separators, Gmail happens to be one that supports the plus.
  https://en.wikipedia.org/wiki/...
6. Re:I would never give Home Depot my address... by ls671 · 2014-11-06 14:06 · Score: 1
  
  It depends how fast you throw them away. My slashdot throw away address has been valid for 10 years at least. Still, I can throw it away without impacting anything else if I want and yes all addresses end up in the same inbox and I can edit the sender in my email client to enter anything I want.
  Despite all that, I rarely provide an email address and surely not to home depot.
  
  --
  Everything I write is lies, read between the lines.
7. Re:I would never give Home Depot my address... by mi · 2014-11-06 14:20 · Score: 1
  
  and yes all addresses end up in the same inbox
  Well, then you do have the same system I proposed only you have to go through the trouble of creating those throw-away accounts before you can use them.
  By using the scheme I outlined (or your own domain) you don't need to pre-make the accounts — you+FOO@gmail.com (and/or FOO@yourdomain.com) already exists for an infinite (well, very large) variety of FOOs.
  
  --
  In Soviet Washington the swamp drains you.
8. Re:I would never give Home Depot my address... by peragrin · 2014-11-06 14:30 · Score: 1
  
  The thing is your method fails the modification test. heck excel or open office can easily parson the +XXX out of your email address quickly. Heck if you are smart you modify it before storing it.
  His method is fool proof. personally I have an old juno.com account that I have to reactivate as it goes dormant every 6 months. when i need it reactivation takes seconds. and then once setup I ignore it.
  
  --
  i thought once I was found, but it was only a dream.
9. Re:I would never give Home Depot my address... by dotancohen · 2014-11-06 21:14 · Score: 1
  
  It depends how fast you throw them away. My slashdot throw away address has been valid for 10 years at least. Still, I can throw it away without impacting anything else if I want and yes all addresses end up in the same inbox and I can edit the sender in my email client to enter anything I want.
  You are going to love this:
  https://www.absorb.it/virtual-...
  Virtual Identity is a Thunderbird addon that automatically puts the right "sender" address when you send an email. It is the reason that I'm married to Tbird.
  
  --
  It is dangerous to be right when the government is wrong.
10. Re:I would never give Home Depot my address... by wisnoskij · 2014-11-07 00:37 · Score: 2
  
  OK, and what is stopping someone from cropping out the tags?
  
  --
  Troll is not a replacement for I disagree.
11. Re:I would never give Home Depot my address... by Quirkz · 2014-11-07 03:28 · Score: 2
  
  always use an address like yourid+companyname-year@example.com.
  You don't think spammers can learn to strip out the characters between the + and the @ ? If I was a spammer, I'd do that automatically. Hell, I'd probably keep the original, but also create the stripped version, and then spam them both.
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
12. Re:I would never give Home Depot my address... by swillden · 2014-11-07 03:46 · Score: 1
  
  Meh.
  I could easily do this, and I used to, but I decided I just don't care. I don't even worry about posting my e-mail address all over the Intenet. What does it cost me? More stuff for my spam folder, but GMail catches all of it, or so close to all of it as makes no difference. I have a message or two per week which slips past the filter, so I just click the "spam" icon and go on with life.
  As for Home Depot, I really like the e-mailed receipts. I wish all stores offered that option; I'd give all of them my e-mail address.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
13. Re:I would never give Home Depot my address... by amxcoder · 2014-11-07 03:54 · Score: 1
  
  I never knew this, that pretty awesome! I did a test on this with a couple of my email accounts, my Hotmail account supports this, unfortunately my personal domain (hosted on HostGator) does not support either the + or - method. Bummer.
  
  Anyone know why only the big email providers like Gmail/Hotmail/etc. support this, but a HostGator does not? Would be nice. Granted, on my personal domain, I can create all the email addresses I want, but would be nice to get this feature.
14. Re:I would never give Home Depot my address... by cyn1c77 · 2014-11-07 15:57 · Score: 1
  
  always use an address like yourid+companyname-year@example.com
  That is an awesome tip!
  Thanks!
15. Re:I would never give Home Depot my address... by Zaiff+Urgulbunger · 2014-11-08 05:23 · Score: 1
  It's staggering just how many websites don't allow plus-addresses. In the UK alone, I have these on my plus-address shit-list:
  
  carphonewarehouse.com
  ebuyer.com
  novatech.co.uk
  whsmith.co.uk
  racbenefits.co.uk
  parking-quote.co.uk (APH Airport parking)
  And a load of smaller sites that I can make exceptions for 'cos they're small businesses and all... but that said, their web-devs are still crap.
  
  I keep meaning to build a plus-address name and shame website just to highlight the amount of derpy devs there are.
16. Re:I would never give Home Depot my address... by Zaiff+Urgulbunger · 2014-11-08 05:55 · Score: 1
  
  always use an address like yourid+companyname-year@example.com.
  You don't think spammers can learn to strip out the characters between the + and the @ ? If I was a spammer, I'd do that automatically. Hell, I'd probably keep the original, but also create the stripped version, and then spam them both.
  I have my own domain, and my personal email goes to a traditional firstname.lastname@domain.tld, but when I sign up for anything, I'd prefer to use a unique address, so I have a prefix for such things, let's call it "xyz" and then +supplier-name, so xyz+amazon@domain.tld. When I sign up for something, I add a white-list entry for that address. Anything not white-listed (e.g. xyz-foobar) goes straight to spam.
  
  I *do* forget to add white-list entries sometimes, but that's fine because I do check and manually clear my spam. If anything is in spam, I know to be extra cautious.
  
  Anyone removing the plus from one of my email addresses won't get anywhere because it won't be a valid address. Anyone replacing the bit after the plus with something random will end up in the spam bin, so I'll be more likely to spot.
  
  The only snag is the bit after the plus does tend to be obvious, e.g. "amazon", so I prolly should use something a bit non-guessable. But in practise, spammers aren't being that clever so it's not been a problem for me.... thus far at least!
That's the power of Home Depot by Spy+Handler · 2014-11-06 12:53 · Score: 1

fight the power!
LOL by Lunix+Nutcase · 2014-11-06 13:10 · Score: 4, Informative

And they're a member of CurrentC who wants your bank account info, driver's license and SSN numbers. Who in their right mind would give the MCX or its members companies such info?
1. Re:LOL by The+Good+Reverend · 2014-11-06 16:41 · Score: 1
  
  Oddly enough, though, the Home Depot locations around here still have their NFC terminals working, so I've been able to use Apple Pay.
2. Re:LOL by Anonymous Coward · 2014-11-06 16:46 · Score: 2, Insightful
  
  Exactly.
  Also, to give you an idea of how bad these companies are at security and modern computing: We have to deal with Home Depot for EDI at my workplace. Home Depot requires the use of a specific Internet Explorer version 9.xx and Java builds that are 2+ years old to access their online EDI system. We can't even update our own computers because they are still stuck in 2009.
  Don't give these people direct access to your bank accounts.
Yay for cheapest-bidder contracting! by Narcocide · 2014-11-06 13:13 · Score: 1

Should have hired me instead asshats!
Who Loses Their Executive IT Position? by BoRegardless · 2014-11-06 13:25 · Score: 2

Seems like one of the jobs of IT departments for the last 10 years should have been to have their own surveillance software to be watching for activities that indicate software changes, moving of data, and added code that should be detectable so they can verify what is happening to their systems in near real time.
1. Re:Who Loses Their Executive IT Position? by greenwow · 2014-11-06 13:53 · Score: 5, Interesting
  
  > moving of data,
  If FDR hadn't fought so hard in 1935 against adding a check digit, monitoring for SSNs over the network would be so much easier. Canadian SIN have check digits so a couple of times we were able to detect suspicious file transfers. Yes, the US did a great job getting 25 million SSNs issued within three months, but we're still paying for that decision.
2. Re: Who Loses Their Executive IT Position? by cdwiegand · 2014-11-06 14:48 · Score: 2
  
  Actually per the patriot act you have to give it to your bank. Your insurance company also needs it to report to the irs that you are compliant with the ACA. Lots of people need it and have a legal reason for it, sadly.
  
  --
  . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
3. Re:Who Loses Their Executive IT Position? by amxcoder · 2014-11-07 04:05 · Score: 1
  
  Agree'd, but that principle has been thrown out the window a long time ago. The SSA, when they were created, and still to this day, say that your SSN number is "NOT to be used as a form of ID" or for other purposes besides social security... unfortunately every tom, dick & harry realized it makes for a great personally identifyable serial number, and ignored those rules and it took a foot hold in our society. The ironic part, is that while no one is supposed to have it, or use it for other purposes, now that it's wide spread, it's needs to be one of the most protected numbers you have (due to credit fraud, ID theft, and SS fraud), yet everyone keeps requesting it to use in their database to identify you!
  
  The most gregarious case I've seen it used that used to get under my skin, is colleges that use it as a school ID number. Then when they would post grades, they'd stick a sheet of paper up on the board (seen to everyone) and instead of your name, would post your SSN # and your grade on it, essentially publicly posting everyone in the school's SSN number. And this was supposed to be for "privacy" of course. I always hated this, and couldn't comprehend why they refused and found it so hard to just issue serial numbers to all the students that they generated instead.
4. Re:Who Loses Their Executive IT Position? by david_thornley · 2014-11-07 10:56 · Score: 1
  
  The SSN is a perfectly good identification number. It's terrible at authentication, though. If everybody treated the number as identification, and not as any sort of hint that the person supplying the number is the legitimate person for that number, there wouldn't be any problem.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
5. Re:Who Loses Their Executive IT Position? by amxcoder · 2014-11-07 15:35 · Score: 1
  
  It's a perfectly good identification number for what it's intentions are. However, I don't want the same identification number to be used by government agencies, schools, IRS, banks, Credit card companies, hospitals, etc.
  
  While I have a problem with SSN numbers used for identification, mostly due to principles, in that they aren't supposed to be. The bigger problem with using them as ID for everything, is that your personal, global credit/debt history/report is tied to this number, along with IRS records. Meaning, if anyone gets and uses this number in a fraudulent way, your credit report and possibly your financial identification is screwed. Talk to someone who has had IDTheft before, you can't get these credit bureaus to remove fraudulent data, and it can literally ruin your financial and credit reputation for many, many years, and possibly put you in an ill relationship with the IRS as well.
  
  For a ID number to have that much power over your life, it should not be used for other things that are comparatively trivial, like school ID numbers.
6. Re:Who Loses Their Executive IT Position? by david_thornley · 2014-11-08 16:12 · Score: 1
  
  Right, the problem is with people misusing other people's SSNs. The reason they can get away with this is that approximately nobody asks for proper authentication. Instead, they pretend that the SSN is authentication. A scheme where you're assigned a number that you can't change that is used for authentication is either incredibly stupid or incredibly callous.
  Similarly, ID theft isn't really ID theft. It's a particularly nasty form of fraud that institutions go along with because it's no problem of theirs if other people's reputations are ruined.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:Okay then by Anonymous Coward · 2014-11-06 13:25 · Score: 3, Informative

Glad that's over!
It's not over.
Which part of "Microsoft product" did Home Depot not understand?

According to an Oct. 1, 2013, report prepared for Home Depot by consultant FishNet Security, the retailer left its computers vulnerable by switching off Symantec’s Network Threat Protection (NTP) firewall in favor of one packaged with Windows.
http://www.businessweek.com/ar...
Home Cheapo (what my sister's always called it) by rmdingler · 2014-11-06 13:49 · Score: 1

Did your credit union send the letters, or did Home Depot?
Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.
For a corporation with $78 Billion in revenue, $62 million is like you paying the paperboy his Christmas bonus.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
1. Re:Home Cheapo (what my sister's always called it) by ColdWetDog · 2014-11-06 15:27 · Score: 4, Funny
  
  Paperboy?
  Bonus?
  Are these English words?
  
  --
  Faster! Faster! Faster would be better!
Re:Okay then by JDG1980 · 2014-11-06 14:27 · Score: 2

According to an Oct. 1, 2013, report prepared for Home Depot by consultant FishNet Security, the retailer left its computers vulnerable by switching off Symantecâ(TM)s Network Threat Protection (NTP) firewall in favor of one packaged with Windows.
No enterprise installation should ever be relying on individual client firewall software for network security. At best, that should be a second line of defense. It is the job of the perimeter firewall to handle these kind of threats.
Time to switch to CurrentC and... by exabrial · 2014-11-06 15:28 · Score: 1

Time to switch to CurrentC and hand over all my information to the people in the MCX. They're so responsible and knowledgable about information security and real world threats!
Running Windows and offshoring to India by WindBourne · 2014-11-06 16:43 · Score: 2

This will get you EVERYTIME.
Yes, Home Depot offshored significant amounts of their admin. THis allows India to work on the computers in the middle of the night. However, like target, and the others, it enables ppl that have NO VESTED INTEREST in the company, or the nation, to have access to production.

This will continue as long as companies continue to cheat.

--
I prefer the "u" in honour as it seems to be missing these days.
Portions of Home Depot's network? by lippydude · 2014-11-07 00:13 · Score: 1

"the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada."

What Operating System did this self-checkout system run on?
Never shop there anymore anyway by Squidlips · 2014-11-07 01:48 · Score: 1

I have personally had problems with Home Depot's quality I shop at the local hardware stores instead
Re:Okay then by MachineShedFred · 2014-11-07 02:21 · Score: 1

And if they are already inside your network from an unsecured port on a wall somewhere, or through internal wireless?
Point-of-sale systems should be firewalled out the ass.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
CurrentC save us! by TheDawgLives · 2014-11-07 02:35 · Score: 1

[sarcasm]Man, I can't wait to sign up for Current C and give them direct access to my bank account and all my personal information![/sarcasm]

--
-TheDawgLives suckitdown
Home Depot's Apology Email to Customers by McGruber · 2014-11-07 06:22 · Score: 1

Home Depot sent this email out to its customers:

Dear Valued Customer,
The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.
In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.
Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.
Sincerely,
The Home Depot

I was struck by how the letter did not say anything about what HD has done to ensure that something like this will not happen again to them.
I believe the breach has reached my address by txoutback · 2014-11-07 07:57 · Score: 1

My personal email was under good control for blocking junk mail via my SpamAssassin filter and local junk box filters, up until around the time the breach was announced. Since then I have been receiving a dozen or so very well crafted spam emails, all text and all formatted in a similar fashion, containing a row or two of lines with a "reference number" "case number" or something along those lines.