Huge email database hacked
December 15, 2010 12:45 AM   Subscribe

Let's pretend this is part of the epically titled 'cyberwar.'

If that is so then I propose the following sequence:
19th century warfare is defined by the lines of battle.
20th century warfare goes beyond the lines.
21st century warfare has no lines.
posted by TwelveTwo at 12:54 AM on December 15, 2010 [1 favorite]

Sorry, I'm a little lost here. 105 customers? That's like nothing.
posted by GilloD at 1:00 AM on December 15, 2010 [2 favorites]

The customers of silverpop are large organisations; silverpop handle the bulk email services for companies like DeviantART, Santander US, Encyclopaedia Brittanica, Air New Zealand, Mazda, BMI Baby etc etc. Plus they do the grunt work for an unknown number of companies who use Arc Worldwide for their promotions and marking, like McDonalds and Walgreens.

Between them, it's easily hundreds of millions of user email addresses and other marketing data, along with which company that data is associated with. It's rich hunting material for phishing attacks, and spammers have already been trying to get Walgreens customers to visit a walgreens themed site to get more information from them.
posted by ArkhanJG at 1:07 AM on December 15, 2010 [6 favorites]

Customers = companies, not 105 individuals.
posted by jamaro at 1:07 AM on December 15, 2010

Let us all be fucked, so none of us will be fucked.
posted by The Whelk at 1:08 AM on December 15, 2010 [7 favorites]

If you give all your details or subscribe to a McDonalds newsletter or promotion you probably deserve all the shit that comes your way.
posted by adamvasco at 1:12 AM on December 15, 2010 [6 favorites]

Sorry, I'm a little lost here. 105 customers? That's like nothing.

More inside. Did you read it?

If you give all your details or subscribe to a McDonalds newsletter or promotion you probably deserve all the shit that comes your way.

I can't argue with this, but DeviantArt? I always assume it was, you know, it's own thing...
posted by Jimbob at 1:23 AM on December 15, 2010 [2 favorites]

I just got an e-mail from Deviantart about this today. While I appreciate them letting me know, I am very annoyed by this. I've managed to keep my gmail spam free for at least three years now, and now I might start getting slammed with it because one company can't keep their stuff secure. Just irritating! And how do you manage to get an entire database hacked, isn't that like a pretty large complex thing?
posted by dargerpartridge at 1:55 AM on December 15, 2010

I predict in the near future we will see the following changes-

Every site of any consequence will have a warning about using a unique password. This warning will go entirely unheeded by many people.

Financial institutions and major online merchants will begin enforcing a unique security layer where the user must enter a user name or a second password which is generated by the server and cannot be changed.

Overpriced commercial programs will pop up for "password management" which amount to little more than an encrypted spreadsheet with a random character generator for "secure passwords" which are only as secure as the remote server. Existing freeware applications and newly developed open source applications will be more robust and properly encrypted. If a particularly easy to use password manager that doesn't frustrate the technophobic pops up, it will be the standard. We should all hope it is secure.

The newest online scam will be false password managers which are promoted as being limited time free offers when they "supposedly" sell for some false price. They may either cease functioning and demand an upgrade to some pro version to keep working without mentioning this caveat beforehand or they will outright steal passwords and send them to a central server.

Tech support, ISPs, banks, and online merchant support will collectively gather new headaches as they are accused of everything from poor security to hacking their bank account due to their password reuse.

My only surprise is that it took so long for this to become an issue. This XKCD comic says it all too well. Password entropy is not the issue, although enforcing at least modest password strength is important. Password reuse is the biggest threat, yet the most obvious solution I can see (Unchangeable component not generated by the user) seems to lead to yet another way uninformed users can be burned online, one that may be worse than ever before.

I hope I'm wrong and that someone will find a more viable solution to the pitfalls of password reuse. Of course, it won't get much attention until more and more people lose money, business information, and other important info to attacks like these.
posted by Saydur at 2:01 AM on December 15, 2010 [10 favorites]

It'd be nice if Google / Amazon / Ebay got together with a unified hardware token single sign on standard. Kind of like Paypal/Ebay's RSA tokens, but with a password entry into the token itself. Bonus points if there were a hardware standard for computers to hand off the sign on wirelessly to your token so that you could use an insecure computer (say public library) to log on with only that one session compromised at worst.
posted by BrotherCaine at 2:17 AM on December 15, 2010 [1 favorite]

If you give all your details or subscribe to a McDonalds newsletter or promotion you probably deserve all the shit that comes your way.

No, someone doesn't deserve any shit because they subscribed to a McDonalds newsletter. They deserve to have their information kept safe so they can enjoy their free biscuit.
posted by marxchivist at 2:25 AM on December 15, 2010 [42 favorites]

They deserve to have their information kept safe so they can enjoy their free biscuit.


Heh. Nothing is free.
posted by IvoShandor at 2:31 AM on December 15, 2010

21st century warfare has no lines.

21st century war? Seriously?

If "war" now means a bunch of people vaguely inconveniencing each other over the internet for a couple days sign me up. That sounds like a hell of an improvement to me.
posted by delmoi at 2:40 AM on December 15, 2010 [25 favorites]

If you give all your details or subscribe to a McDonalds newsletter or promotion you probably deserve all the shit that comes your way.

This is the modern internet version of "it's your fault for wearing that short skirt."
posted by chavenet at 2:52 AM on December 15, 2010 [21 favorites]

I'm kind of curious what penalties, if any, a company like this pays out for this. Your average person isn't going to care that Silverpop leaked their info, they're going to care that Walmart couldn't be half arsed to keep their stuff secure. It hurts Walmart (yay?), not Silverpop.

Well, assuming they stay in business. I assume companies like Walmart operate on a one-strike policy.
posted by maxwelton at 2:53 AM on December 15, 2010

I just got an e-mail from Deviantart about this today. While I appreciate them letting me know, I am very annoyed by this. I've managed to keep my gmail spam free for at least three years now, and now I might start getting slammed with it because one company can't keep their stuff secure. Just irritating! And how do you manage to get an entire database hacked, isn't that like a pretty large complex thing?

Gmail has a pretty handy filter feature, where you can put "+sometext" after your username and the email will still reach your inbox - e.g. user+deviant@gmail.com will be treated by Gmail as user@gmail.com. This means you can set up Filters to handle compromised email addresses, by e.g. changing your DeviantArt email address to user+deviant2@gmail.com and setting a Filter to automatically delete any incoming email to user+deviant@gmail.com (since the only people sending to that address now would be spammers).

Only downside is that some websites (incorrectly) do not allow a + symbol in an email address, even though it is a valid character for an email address.
posted by EndsOfInvention at 3:13 AM on December 15, 2010 [6 favorites]

Only downside is that some websites (incorrectly) do not allow a + symbol in an email address, even though it is a valid character for an email address.

Well, that and the first thing you do if you're whitewashing a list is strip everything after the plus on gmail domains.
posted by Leon at 3:18 AM on December 15, 2010 [13 favorites]

How can a breach "emanate"?
posted by doublehappy at 4:01 AM on December 15, 2010 [2 favorites]

I hope I'm wrong and that someone will find a more viable solution to the pitfalls of password reuse.

The real solution is two-factor authentication. We're rapidly approaching the point where we'll need an RSA token built into credit and debit cards, and a variety of similar "soft tokens" running on our equipment. The days of passwords alone are pretty much done... my bank makes me register each new computer (not certain how it identifies my machines, be it IP or cookie or something weirder) with one of a half dozen or so pre-selected questions. This is better than a password, but the questions, while easy to remember the answer to, are also easy for a third party to guess if they do a little research about you.

While better than a password alone, it still relies on the security of an identity database. Stronger cryptographic solutions are required, and ironically, are probably easier for users to wrangle than a zillion passwords... a token (physical or simulated) and a four-numeral PIN.

Hell, it doesn't have to be a numeral - the interface could be logograms. Your PIN could be bunny-bunny-frog-flower.

Part of the slowness in adopting this is the stranglehold RSA has on the token market. We may need to wait for a few patents to expire.
posted by Slap*Happy at 4:27 AM on December 15, 2010 [1 favorite]

Silverpop Systems Inc, an email marketing firm with 105 customers has had its database systems hacked last week.

The thing is was that...ah, fuggit.
posted by auralcoral at 4:45 AM on December 15, 2010

There are decent alternatives to RSA tokens, though, especially for widespread distribution to bank customers. Cryptocard is a commercial alternative, or, a paper gridcard would be even easier for an entity like a bank to distribute. There are other schemes as well, like "input the 2nd, 4th, and 7th letters of your secret word" (that example is pretty prone to brute-forcing, but you get the idea).

Twofactor doesn't stop MITM attacks, however, CSRF or other session-jacking attacks. (That's fine, it was never advertised otherwise.)

Anyway, what makes this interesting in the context - not that you may get more spam, but that the attacker is aware of organizations with whom you already have a relationship.
posted by These Premises Are Alarmed at 5:06 AM on December 15, 2010

Here's a tip: Don't connect your must-be-kept-private database to the Internet. Problem solved.
posted by DU at 5:18 AM on December 15, 2010

If "war" now means a bunch of people vaguely inconveniencing each other over the internet for a couple days sign me up.

I don't think the claim is that this event is a war, or even a battle. The claim is that acts such as these could be part of some future war.

Or even more ominously, that these events are the battles and we're not even noticing. Each one is a relatively minor inconvenience, but each one also marginally increases a Big DB o' Info out there on people. A Big DB that could be used for nefarious purposes in the future.

And don't give me that "you don't have anything to fear if you've done nothing wrong" crap. Do you want, for instance, all possible future US administrations to know you bought a copy of, and gave a glowing review to, The Communist Manifesto?
posted by DU at 5:24 AM on December 15, 2010

MITM attacks, with the exception of phishing, are difficult to automate with two-factor. ATM skimmers, for one, would be rendered useless.

It would still leave the user open to directed attacks, but mass-mining of authentication credentials and casual credit card fraud would be a thing of the past.
posted by Slap*Happy at 5:30 AM on December 15, 2010

nd how do you manage to get an entire database hacked, isn't that like a pretty large complex thing?

the phrase 'entire database hacked' is an example of what i call slopspeak. it's no more large and complex than saying 'i had my entire house robbed', or 'i had my entire closet emptied'.

you 'hack an entire database' by gaining access to the computer it lives on and copying the files for your own use.
posted by quonsar II: smock fishpants and the temple of foon at 5:32 AM on December 15, 2010 [2 favorites]

Here's a tip: Don't connect your must-be-kept-private database to the Internet. Problem solved.

The list of email address you want to spam with your direct marketing is, by definition, internet-required.
posted by Phredward at 6:17 AM on December 15, 2010 [3 favorites]

Is anyone else noticing that none of these companies who've been hacked are telling us *when* exactly the hack on Silverpop happened? If anyone finds info about that in any coverage, feel free to share, because I've only found one article that bothered to mention that McDonald's didn't say when the hack happened. No other reporters seem to think that's worth discussing.

Is anyone else wondering if in some if not all of these newly announced cases, the hacks happened weeks if not months ago, and they're only now being announced to take advantage of the distraction of the Gawker hack?
posted by mediareport at 6:17 AM on December 15, 2010 [1 favorite]

A receptionist answering main number for marketing company Arc Worldwide said she didn't have a public relations department to transfer reporters to. A spokeswoman for Silverpop declined to answer questions, but issued a statement that read in part:

When we recently detected suspicious activity in a small percentage of our customer accounts, we took aggressive measures to stop that activity and prevent future attempts. Among other things, we unilaterally changed all passwords to protect customer accounts and engaged the FBI's cybercrime division. It appears Silverpop was among several technology providers targeted as part of a broader cyber attack. We have notified all customers impacted by this activity. We are currently focused on working with our customers, especially the small percentage impacted by these events.

Beyond the cliche about chains being only as strong as their weakest links, the lesson here is that companies that expose their customers' secret data can't be trusted unless they come clean about what went wrong and what they've done to prevent it from happening again. So far, Silverpop hasn't done that

"Recently."
posted by mediareport at 6:25 AM on December 15, 2010

Ok, I'll stop now, but I really don't trust companies like Silverpop to be honest when they get hacked like this. Customers at the very least deserve to know how quickly Silverpop reacted, and for how long their information was compromised before they were notified. That's just fucking baseline journalism in these stories. Reporters should be asking that question, repeatedly, and putting "Silverpop declined to answer questions about when it first noticed the attack" in every article about this.
posted by mediareport at 6:30 AM on December 15, 2010 [1 favorite]

Wow, didn't take long for that backdoor in IPSec to get utilized, did it?
yes I know this wasn't that
posted by Old'n'Busted at 6:32 AM on December 15, 2010 [1 favorite]

What's interesting to me is that most people who give their information to, say DeviantART, probably don't have any idea that it's being offloaded to other companies for marketing. In fact, DeviantART probably agrees in its TOS not to sell or distribute your information, but it still gives that information to Silverpop to handle its own marketing.

So if I'm savvy, maybe I think to myself: "well, DeviantART isn't much of a target for hackers and they probably have pretty good security and I don't mind spam from them, so fine, here's my email address". What I should be thinking is: "oh, DeviantART is going to send my information to a company that is probably one of the tastiest targets on Earth because all it does is collect information for marketing purposes for companies like McDonald's and Walgreens, and I've never even HEARD of that company so I have no idea how its security is."

The thing is that even if a company has a decent privacy policy, you really have no idea what that company is doing with your personal info. The only answer, as far as I can tell, is to have an email address you never bother to check that you use solely for registering with websites. That doesn't address security issues on sites where your real world PII is required (such as banking or e-commerce sites) but at least it gets you past the spam.
posted by The Bellman at 7:06 AM on December 15, 2010 [1 favorite]

Luckily there is an easy method for generating unique passwords for the sites you regularly visit.

1. Think of a sentence that only you know, like "My phlathbaum tookie yanking fizzbottom daaayum"
2. Replace each space with with the product of the number of letters in the words before and after the space: "My20phlathbaum60tookie42yanking70fizzbottom70daaayum"
3. Now remove all but the first and last letters of each word: "My20pm60te42yg70fm70dm"
4. Replace zeros with a capital letter O: "My2Opm6Ote42yg7Ofm7Odm"
5. Now capitalize any letter that precedes a capital O, ignoring intervening numbers: "MY2OpM6Ote42yG7OfM7Odm"
6. Now take the first two letters of the domain name, and insert them after the first consonant. So for metafilter.com: "MmeY2OpM6Ote42yG7OfM7Odm"
7. Add your birthday on the end: "MmeY2OpM6Ote42yG7OfM7Odm09112001"
8. Last, add an exclamation point: "MmeY2OpM6Ote42yG7OfM7Odm09112001!"

Easy.
posted by swift at 7:08 AM on December 15, 2010 [12 favorites]

my bank makes me register each new computer (not certain how it identifies my machines, be it IP or cookie or something weirder) with one of a half dozen or so pre-selected questions

I use a number of banks for different things and they all do this, only they make me "authorize" the machine the first time I use it with a code that they provide (via SMS or automated voice) to one of the phone numbers I have on the account. They won't even email the code, for some reason.

As far as I can tell it is neither IP nor cookie -- maybe it's MAC address? Can they get that from a browser?
posted by The Bellman at 7:09 AM on December 15, 2010

As far as I can tell it is neither IP nor cookie

It is from a cookie. You can load a different browser and the computer will be unregistered.
posted by Threeway Handshake at 7:18 AM on December 15, 2010

It is from a cookie. You can load a different browser and the computer will be unregistered.

At least as to Chase that is not the case. Different browsers on the same machine still work, private browsing works, and clearing cookies has no effect. I found it pretty interesting so I did some tests.
posted by The Bellman at 7:23 AM on December 15, 2010

The US Treasury, for its "TreasuryDirect" consumer accounts, uses a combination of username/password and a paper gridcard for security. Each time you log in it asks for a couple of numbers corresponding to letters that you supply. (The card has letters along one axis and then a field of numbers, or maybe vice versa, it's been a while.) It's not a bad system, although it does create a long delay in the account-creation process because you have to send the gridcard out via paper mail.

Of course, they also make it nearly goddamn impossible to transfer money into the account, to say nothing of getting it out, so that probably discourages attacks.

But it wouldn't be hard for regular banks to do something similar to this. You could print a random 5x5 grid on the back of each user's ATM card -- which is something people are used to safeguarding and probably carry around with them -- and ask for a number or two off of it with each login, or maybe just logins from a new computer. It's not a perfect system but it's probably more practical than sending out RSA keyfobs to everyone, most of which are going to be immediately lost and lead to a ton of password-reset requests.
posted by Kadin2048 at 7:27 AM on December 15, 2010

A group of hackers/spammers spent valuable time hacking into a Mc Donalds and Walgreens e-mail list? Doesn't there come a point where whoever spent time doing this has a reflective moment and says, "What the fuck am I doing? I could be hacking into a bank or some kind of infrastructure, and I'm spending my time pilfering a list for cheeseburger coupons."
posted by crapmatic at 7:40 AM on December 15, 2010 [2 favorites]

At least as to Chase that is not the case. Different browsers on the same machine still work, private browsing works, and clearing cookies has no effect. I found it pretty interesting so I did some tests.

It is, in all likelihood, a Flash cookie, AKA Locally Stored Object in Adobespeak (they probably use regular cookies for session management, to handle users without Flash, and as a backup). Flash cookies are the same across browsers on a machine, are still transmitted in private browsing mode, and can only be cleared by accessing the very well hidden Flash player preferences. It's the dirty little secret of the web tracking game.
posted by zachlipton at 8:01 AM on December 15, 2010

A group of hackers/spammers spent valuable time hacking into a Mc Donalds and Walgreens e-mail list?

when you're a 14 year old boy you gotta have SOMETHING to fill the time between fapping sessions on /b/.
posted by quonsar II: smock fishpants and the temple of foon at 8:34 AM on December 15, 2010

A group of hackers/spammers spent valuable time hacking into a Mc Donalds and Walgreens e-mail list?

People find value in different things; I've dedicated quite a few hours to creating a huge hole in Minecraft. Just a big, deep hole that goes from the surface all the way down to the bedrock.

I can't sell my hole to some shady mass-marketer for a big sack of cash and email lists are probably not as stringently protected as banks. So in terms of wasted time vs. payout, I've lost big when compared to the WTF? hackers.
posted by quin at 9:09 AM on December 15, 2010

"What the fuck am I doing? I could be hacking into a bank or some kind of infrastructure, and I'm spending my time pilfering a list for cheeseburger coupons."

Assuming the motivation wasn't sheer boredom, people who have opted in for free stuff from McDonalds are more likely to opt into other things as well (like, say, your phishing scam).
posted by zippy at 9:28 AM on December 15, 2010

It was the Hamburglar!
posted by quadog at 9:50 AM on December 15, 2010 [2 favorites]

Luckily there is an easy method for generating unique passwords for the sites you regularly visit.

1 . Think of a sentence that only you know, like "My phlathbaum tookie yanking fizzbottom daaayum"
...
8. Last, add an exclamation point: "MmeY2OpM6Ote42yG7OfM7Odm09112001!"

9. Write this on a post-it and stick it on the wall next to your computer.

Easy!
posted by chavenet at 10:15 AM on December 15, 2010

Another Gmail trick is to insert periods in your address. Gmail still works even with something like m.y.e.mail.addre.ess@gmail.com. Then you can filter on that address.

I have to admit that I learned this trick from spammers, but there is no reason I can't use it against them. You might want to configure the filter right away though, otherwise you'll never figure out who sold you out.
posted by mike_bling at 10:29 AM on December 15, 2010

As far as I can tell it is neither IP nor cookie -- maybe it's MAC address? Can they get that from a browser?

It apparently is possible, at least in IE on Windows (using either JS or ActiveX), but I'm not sure about other platforms. Personally I find it odd and unsettling for a web browser to have any visibility at all into levels of the network stack below the application layer, but I guess that's Windows/IE for you.

There may be a way to do something similar in Firefox with signed Javascript, but I can't find any examples.

I suspect that they may just be using an IP address.
posted by Kadin2048 at 10:53 AM on December 15, 2010

509,736,153 RECORDS BREACHED from 2,038 DATA BREACHES made public since 2005 privacyrights.org (scroll down)

So the average is approaching 10 million records getting lost/stolen every month.
posted by Lanark at 11:22 AM on December 15, 2010

A group of hackers/spammers spent valuable time hacking into a Mc Donalds and Walgreens e-mail list? Doesn't there come a point where whoever spent time doing this has a reflective moment and says, "What the fuck am I doing? I could be hacking into a bank or some kind of infrastructure, and I'm spending my time pilfering a list for cheeseburger coupons."

Or they might be doing for a list of millions of people who may or may not understand the difference between a legitimate corporate promotional email/password reset form and your phishing scam. Even if only a tenth of a percent of people fall for that, that's a TON of passwords/info you could use for identity theft or other iffier purposes.

Hell, I'm sure you could make a few hundred thou re-selling the lists to spammers.
posted by thsmchnekllsfascists at 11:30 AM on December 15, 2010

Last, add an exclamation point: "MmeY2OpM6Ote42yG7OfM7Odm09112001!"

I just reset my password to this one. Feeling secure already!
posted by vidur at 11:41 AM on December 15, 2010 [4 favorites]

Well that blows. I happen to work for a business that uses Silverpop. We haven't heard word one about it from them - they have no mention of the data breach on their client site or their support site. If I were in management around here I would have already decided to get myself a new email vendor for xmas.
posted by smartyboots at 12:35 PM on December 15, 2010