Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security IT

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised? 247

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

Comments Filter:
  • by Jah-Wren Ryel ( 80510 ) on Monday February 25, 2013 @12:33AM (#43000121)

    This does not directly address the question, but it is topical.

    I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin [] for thunderbird.

    It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.

  • Re:Is it fixed? (Score:5, Informative)

    by t4ng* ( 1092951 ) on Monday February 25, 2013 @01:44AM (#43000431)

    Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

    Exactly. Datek or Ameritrade or TD Ameritrade, I forget at which point in their many buy-outs, has been repeatedly compromised in the past. At first they denied it and claimed that spammers had just guessed by email account. So each time I would create a new email account in my own domain consisting of a random collection of 12 letters, numbers, and punctuation marks. And each time they were compromised I would point out to them the impossibility of a spammer guessing my email account.

    Finally, they just started a policy of sending me an email saying they are investigating it but their company policy does not allow them to give me any details of their findings or what, if anything, they did to fix it.

  • Re:Is it fixed? (Score:3, Informative)

    by CaptQuark ( 2706165 ) on Monday February 25, 2013 @02:23AM (#43000605)
    One problem with publicly acknowledging the compromise is the bad guys realize they have been detected and stop connecting to the system. Our security team requires us to leave any compromised machine "as is" so they can monitor what the computer does, who it contacts, who connects to it, and how the infection is spread on the network. They will purposefully leave the machine running and letting the infection spread so they can gather the maximum information about it before they pull the systems for further forensic analysis. This is standard practice at many large companies, even if they don't tell everyone about it for obvious reasons. Just because they don't reply to you doesn't mean they aren't working 16-hour days trying to stop or catch the perpetrators. Even sending you a simple e-mail saying they are reviewing the situation might be enough to scare off the bad guys if they have compromised the email system farther than just harvesting contacts.
  • by Anonymous Coward on Monday February 25, 2013 @02:34AM (#43000663)

    "I create a unique email address for each company I deal with, and each website I register on."

    Does nobody of you morons know of

    Why on earth would someone create a mailaddress just to register to a website when mailinator with their gazillion aliases exists?

    Just give them as email address, read it _once_ to click the confirmation link and forget it.

Never buy from a rich salesman. -- Goldenstern