|email marketing company hacked|
I'm getting spam to addresses in their database
Whenever I sign up with a company or for a list, I use a unique email address specific to that company/list, and never use that address for anything else. Today I got pharma/ED spam to various of those unique addresses. After a little research, I found the common thread: The companies I gave those addresses to use [mailing list] services. ([this company] provides mailing list services to businesses, e.g. sending newsletters to a company's customers.)
So it looks like [they were] hacked and email addresses were stolen. (I doubt they'd be foolish enough to *sell* the addresses.)
This is one reason I recommend using a unique email address for every entity you do business with, if possible. Providers like Gmail and Dreamhost make this easy with plus-addressing. If your address is email@example.com, then you can use firstname.lastname@example.org whenever you fill out a form. (e.g., me+Name1@example.com, me+Name2@example.com) Anything with a plus address goes to your main mailbox. If you start getting spam to your plus address, you can turn off just that address, and all your other email will be delivered.
Remember, even if you trust a company to whom you give your address to not sell it to others, the company could be hacked -- or the company's email provider could be hacked.
[edited by: phranque at 5:50 am (utc) on Dec. 20, 2009]
[edit reason] specifics [/edit]
I used to do that but it meant having a catchall mailbox. I eventually got swamped with spam addressed to (random name)@example.com
I find two addresses, one for public use and one for friends and family seems to work fine.
Actually, this *doesn't* require you have a catch-all mailbox. You have *one* mailbox, with plus addresses.
So far, spammers haven't started making up random plus addresses, and they're unlikely to, because they know that would just mean that multiple copies of the message would go to the same person. Spammers are trying to reach many people, not the same person 100 times.
How do you turn a plus off in gmail?
One down side is that some places incorrectly will tell you that a + sign is not an allowed character in an e-mail address.
Others are now reporting on the spam hack.
BradleyT, Google "gmail plus addressing" for more on how it works.
The fact that some sites don't allow plus signs in addresses isn't a *downside* to using a plus address if you're able to. An inability to do something is not a disadvantage of doing something. That is, this is not a downside to using a plus address when you're able to.
[edited by: phranque at 5:51 am (utc) on Dec. 20, 2009]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]
Update: This hack is now being reported elsewhere on the net, but WW's policies prevent me from naming the company in question or linking to related external threads, sorry. So if your company uses a third-party email marketing service and you want to see if your cutomers' email addresses were compromised, try Googling:
"[the name of the email marketing service you use] compromised"
to see if the company in question is the company you use.
BTW, one blog post reports that the company has said that it is aware of the issue and “doing extensive investigations into any possible issues.”
Now the company in question has admitted the breach. They posted a statement on their website explaining that email addresses were indeed stolen, but that's all that was stolen.
[edited by: phranque at 1:45 pm (utc) on Dec. 23, 2009]
[edit reason] hosting specifics [/edit]