One of the big, scary security/privacy news stories in the past week has been the hack/leak/oopsie at a company called Epsilon. Yeah a company got hacked, no biggie, right? Yeah well except they also do the email marketing for other companies, companies like Best Buy, Citibank, Capital One, and others and the data stolen were thousands of emails. Real emails for real people. Which brings me to the point of this post:
Why steal email addresses in the first place? Because they have real value to spammers and scammers.
Looking at some of the coverage (and there has been a lot since this is big news):
- Epsilon Internet security breach affects Canadian consumers – Digital
- Epsilon Breach Raises Specter of Spear Phishing — Krebs on Security
- Errata Security: How to protect yourself from future “Epsilon” breach
- After Epsilon: Avoiding Phishing Scams & Malware — Krebs on Security
And some related posts (having to do with targeted attacks, aka spearphishing):
- How I nearly got scammed on Facebook | Digital Media – CNET News
- Spearphishing + zero-day: RSA hack not “extremely sophisticated”
- Errata Security: How to protect yourself from future “Epsilon” breach
There is an underlying thread—you don’t steal something that doesn’t have any value. If these recent breaches didn’t confirm what our spam folders have known for years, email is a great way to scam people. What makes the Epsilon info so, so valuable is that the people buying those addresses know that they are almost all going to be valid. Not only that, if the right data was pulled out as well, they can target their attacks on people based on where they bank and shop.
Beyond the links above that help guide you and keep you from getting scammed (pretty much be very careful which links you click and if unsure, so there directly), this is the wake up call to remember that your personal information, especially and including your email address(es) are valuable commodities to evil-doers.
Maybe you sign up for fewer newsletters or just say no when asked for your email address at a store (or postal code or ZIP code for that matter). Maybe you double-check all those pre-checked boxes when you sign up for services, the ones that often just mean you’re getting put onto yet another list to try to sell you stuff.
Regardless of what you do now, we all need to remember that you don’t have to sacrifice privacy to use technology, you just have to know when to say when.