Tag: spam

iDrive doesn’t take security seriously

I’ve mentioned before how I’m able to act as a canary in the email-database coal mine. …And how companies often don’t take my free, valuable chirps seriously. It happened again.

The unique email address I use to access iDrive started receiving spam in February 2018. It wasn’t just any spam; these sophisticated phishing emails were sent to an email address only iDrive had, and also contained my username/login.

When I contacted iDrive, they blew me off.

Then they blew me off again. More accurately, they gave me plenty of lip service, denial, and smoke far up my ass. (All the while admitting other people had contacted them regarding the phishing). This continued for several calls over several weeks. Until I posted publicly on twitter.

iDrive CEO Raghu Kulkarni promptly contacted me.

We talked about the difference between companies reacting appropriately to breaches:

twitter had just announced a big breach and contacted millions upon millions of users asking them to change their passwords

…and companies reacting poorly:

idrive trying to convince a whistle-blower there wasn’t a breach, despite hard evidence. (How does one prove a negative, anyhow?)

In exchange for deleting my tweet, Mr. Kulkarni agreed to set up a crisis communications plan. Within a week’s time, he promised to get all levels of iDrive customer support on board with an appropriate response, should a similar problem arise in the future.

More lip service

Weeks later a friend who signed up for iDrive because of my recommendation contacted them regarding the phishing attempt. He received the same brush-off I did.

iDrive does not take data security seriously.

I only have evidence of a third party accessing email addresses and usernames. Did they also gain access to other allegedly secure bits? I don’t know. Probably not. All the more reason to just react appropriately, and send an email warning customers that somebody gained access to a subset of clients’ usernames and email addresses. …With a little note about how to avoid sophisticated phishing attempts. …Phishing they have hard evidence of. iDrive doesn’t want to do this, clearly.

How did this iDrive breach happen?

Maybe an employee had this info on their laptop or PC, which was then infected with malware. The malware shared the data.

Maybe a former or current employee sold the data to spammers or used it for personal gain?

Maybe it was a good old fashioned breach by some 1990s movie-style hackers.

I can tell you one thing for sure; as in many cases, nobody seems to know. I don’t know how it happened. iDrive won’t even admit there was a breach. What we do know is that iDrive would rather brush evidence of a minor breach under the rug than address it properly.

What would iDrive do after a more serious breach?

I don’t trust them with my data anymore. I’m looking for a new data backup provider. I’ve been with iDrive for years. I really wanted them to do the right thing so I could stay with them. Alas, I don’t trust them, now.

Screenshots of both phishing spams I received are included below. I can only assume the spam continued for others; I set my iDrive email address to return a server error upon message receipt, so I can’t tell you. Spam sucks. So do companies that don’t take security seriously.

idrive phishing spam
First evidence of iDrive hack
idrive email breach
Second evidence of iDrive breach.

 

Dan Dreifort consults on SEO, UX, and sometimes crawls out of the woodwork to opine on infosec, too, it would seem. His band Cat Shit’s new album (Make America Shit Again) hits in June 2018.

 

 

CheapoDrugs.com Database Hacked?

cheapodrugs-blog
Not all companies care about privacy

Update: 7/1/2017
If you use CheapoDrugs.com, stop. If you put any faith in the CIPA, stop. Neither of these organizations take cybersecurity seriously. I don’t consider them good stewards of your or my personal information. Neither organization will address evidence of a breach. …The CIPA at least gave me lip service for a while, before blowing me off.

Is CIPA legit? If CIPA doesn’t hold its members accountable, it’s worthless and you should ignore its recommendations and “certifications”.ย  Check out the Wikipedia entry for more evidence. Malarkey.

Original post follows

For almost 20 years, because I’m a big nerd, I’ve been using unique email addresses for every single website. e.g. the email address I give VictoriasSecret.com is different than the one I use to sign in to Fredericks.com.

When I start getting spam at an email address, I can quickly turn off that one address.

Problem solved. No more spam.

For those of you thinking, “That multi-address thing sounds like an ongoing hassle!” All addresses come into a single inbox. It’s easy. …It wasn’t necessarily easy to setup, but that was forever ago. Who even remembers that? ๐Ÿ˜‰

Canary in an internet coal mine

Anyhow, if I start getting spam to an address, and its content is unrelated to the site/business where I used the address, something is amiss. If it’s a biz/site I don’t care about, I just kill that address. However, when it’s a biz I care about, I let them know. I’m a canary in a coal mine. But much larger, and figuratively in email databases instead of literally in a coal mine. I also lack feathers.

Most of the time these businesses are thankful when I have an opportunity to act as an email canary. They listen. I tell them, “I don’t know how it happened, but somebody got into your database. I don’t know what they didn’t get, (credit cards? social security number?) but I can tell you that they for sure have your email list.”

How did somebody get our database?

There are three likely routes:

  • One of your employees or contractors grabbed it and sold it or is using it themselves.
  • Somebody hacked into your system and stole it.
  • A computer/laptop with your db and/or email list got infected with malware, which then sent the list to its devious hacker makers.

There are other options, but those three methods account for the vast majority of email leak incidents.

Why oh why is he blogging about this?

Cheapodrugs.com. I used ’em. …And while I still sometimes use Canadian pharmacies for my sweet, sweet drugs, I haven’t used Cheapo Drugs in a few years.

How strange then, that a little over a week ago I started receiving emails to the address I only gave to Cheapo Drugs. Within these emails I’m encouraged to use a coupon code to save on drugs at safemedspills by clicking on a tinyurl.com link. Nope. Not. Clicking. That.

What’s worse, the email contained evidence that the spammers also have access to other Cheapo Drugs’ clients’ information. (Full name, address, etc.)

I emailed Cheapo Drugs and let them know what had happened and shared with them the three possibilities (see above). In their reply, Cheapo Drugs confirmed that, shocker, they had not sent me the spam emails. The only other substance in their missive was, “We guarantee our patients that we do not sell their information to any phishing websites.” …I never said that you sold your address list. Idiots.

I went back and forth with Cheapo Drugs customer support a few more times trying to help them understand, but was met with a stonewall of non-customer-service. I even called and talked to somebody. I’ll spare you the frustrating details and summarize: Cheapo Drugs does not take proof of a database leak seriously. What to do?

Reporting a pharmacy to CIPA

I contacted CIPA, the Canadian International Pharmacy Association. Let’s see if CIPA takes this more seriously than Cheapo Drugs. …It would be hard not to. I’ll report back.

Sidenote: Now that Gmail’s spam filtering is so on fleek, I’ve considered using my gmail address more, in lieu of the system above. However, doing so isn’t as secure as using a different address for every site. Especially if you use the same password for multiple websites. Natch, I use unique passwords for each site, too. hashtag: nerd.