Bits from Bill Pytlovany: Epsilon lets its customers fix their security failure
By Bill Pytlovany
Last week a serious failure in storing names and Email occurred due to a security flaw by a company name Epsilon. This may be the largest failure in protecting names and Email in my lifetime. Epsilon is trying to downplay this failure by claiming it only lost 2% of its database
Even though you’ve never heard of Epsilon by now many of you have received letters from companies who use Epsilon to handle their mass Emailing. What we know to be compromised so far is only your name and Email but hackers will also know which companies you do business with.
So you should expect the following.
1) More Spam
2) More Phishing:
You should expect to see targeted Emails from companies affected by this failure. The Email will appear to come from your bank and they’ll know your name. As I often recommend, DO NOT CLICK on links found in an Email. Go directly to the company web site and see if there is a problem.
Security researcher Brian Krebs has a partial list of companies affected which he has been updating daily. Click here and/or scroll down.
- 1800-Flowers
- Abe Books
- Air Miles CA
- Ameriprise Financial
- Barclays Bank of Delaware
- Beachbody
- Bebe Stores Inc.
- Benefit Cosmetics
- BestBuy
- Brookstone
- Capital One
- Charter Communications (Charter.com)
- Chase
- Citibank
- City Market
- The College Board
- Crucial.com
- Dell Australia
- Dillons
- Disney Vacations
- Eurosport/Soccer.com
- Eddie Bauer
- Food 4 Less
- Fred Meyer
- Fry’s
- Hilton Honors
- The Home Shopping Network
- Jay C
- JP Morgan Chase
- King Soopers
- Kroger
- LL Bean
- Marks & Spencer (UK)
- Marriott Rewards
- McKinsey Quarterly
- Moneygram
- New York & Co.
- QFC
- Ralphs
- Red Roof Inns Inc.
- Ritz Carlton
- Robert Half
- Smith Brands
- Target
- TD Ameritrade
- TIAA-CREF
- TiVo
- US Bank
- Verizon
- Viking River Cruises
- Walgreens
- World Financial Network National Bank
List updated and maintained by http://krebsonsecurity.com/
So far, Epsilon has been quiet except for the small note above. They’re letting their customers handle the brunt of this public relations nightmare.
So far I’ve received two Emails but I expect more.
This post is excerpted with Bill’s permission from his blog
About Bill Pytlovany
BillP Studios founder and industry insider Bill Pytlovany was at one time best known for his leading role in creating the software behind the service now called, AOL. These days Bill is better for helping to increase the performance and security of hundreds of thousand of computers - through his award winning product - Win Patrol.
Loading ...
Rob Cheng
Steve Hogan
Lyle Schuknecht
Steve Bass
Harry McCracken
Chris Pirillo
Bill Pytlovany
John Dodge
Leo Notenboom
Bob Rankin
Windows Secrets
GFI VIPRE
Windows Talk
Powerpoint Tips
Techlicious
Make Tech Easier
Dave's Computer Tips
Burn World
Excel Tips
Windows Observer
Ask Dave Taylor
Word Tips
Tips4PC
Windows Club
Windows Guides
PCTechBytes
Everything Microsoft
Terry Stockdale
I’ve started to see a lot of spam. at least 3 at a time. 9 different companies on that list with which we do business.
Beyond angry, I am.
The Largest Privacy Failure Ever!?
Yeah, by Epsilon – where the heck did the get the info or the permission for our info and data???
Do you see a pattern here? It must be pretty lucrative to pass client’s addresses along to the SPAM idiots. The so called ‘hacked’ companies can cry wolf.. but it’s really them that gave the addresses away!
I never never sign up to buy anything online, if I can buy it without having to ‘create an account’, I don’t.
@Susanne What does that have to do with this. All they got was email addresses, not your email password. Episolon wouldn’t have that on file anyway.
But for anyone who thinks this is just bad because of spam, consider that you can use an email to search for someone on facebook where most people don’t private their info that well. Then using that and the emails “I forgot my password” security questions, get into the email account. You could have a question like Father’s middle name which is relatively easy to figure out with the help of just facebook and whitepages.
Now they have access to your email accounts and anything linked to them. Your passwords are probability in your emails too since many sites don’t encrypted them and will send them to you as a reminder.
So even though they say no personally identifiable info was taken, all that a person would need is just the email address itself. I think spam would be the least of your problems if you’re unlucky.
This is old news really.
I’ve had two emails in the last year or so, one recently from Winamp and one not so long ago from Play.com, both have had the same issues.
Although I think they kept it quiet.
Add Sears to the list.
Add Scottrade to that list as well
I’ve received (legitimate) emails from Bank of America and Scottrade warning me of Epsilon’s screwup. So there’s 2 more huge companies to add to the list.
Also Deviantart.com (which may not seem important, but considering they do handle a lot of credit card transactions, it’s more critical than most may realize).
Redcats was also hit. It’s a conglomerate/parent company that has 16 major clothing company sub-companies.
I also recieved a letter from HSN and Crucial about being hacked..
I have had 20+ emails that appear to be from me sent to my contacts (with assorted subjects) These are not in my “sent folder’ at Yahoo.com. I have set up a private code for friends/family to put in subject line of my emails.