1. Thu28
    Jan2010
    @12:00

    Update: Likely Data Security Breach at iContact.com

    On the day I posted Suspected Data Security Breach at iContact.com I was contacted via Facebook by someone with an email address @icontact.com. I forwarded them the same information that I sent to their abuse team. I’ve not heard anything back since.

    Others have picked up on this likely breach at iContact.com:

    iContact have answered some concerns: they are looking into the problem.

    I have been contacted by one of the sites/services whose address-list has been breached, simply to ask to be kept in the loop with iContact.com’s response.

    I have done some further research into my mail folders. I have found one address which iContact.com have on record which has not yet received any spam. As a result, this address hasn’t been compromised and has been replaced by HIDDEN on this public website. iContact’s abuse team has been provided with the full details, however:

    Received: from smtp7.icpbounce.com ([::ffff:216.27.93.119])
 by faelix.net with esmtp; Tue, 01 Jan 2008 01:12:36 +0000
 id 000013C1.47799384.00003B72
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
       by smtp7.icpbounce.com (Postfix) with ESMTP id 43D6197750
       for <HIDDEN>; Mon, 31 Dec 2007 19:54:34 -0500 (EST)
Date: Mon, 31 Dec 2007 19:54:34 -0500

    This address hasn’t received any emails this month:

    mail:~# ls -l /var/log/mail.log*
-rw-r----- 1 root adm  9351785 2010-01-28 11:45 /var/log/mail.log
-rw-r----- 1 root adm 13870643 2010-01-24 06:23 /var/log/mail.log.1
-rw-r----- 1 root adm  1451508 2010-01-17 06:24 /var/log/mail.log.2.gz
-rw-r----- 1 root adm  1257403 2010-01-10 06:24 /var/log/mail.log.3.gz
-rw-r----- 1 root adm  1828195 2010-01-03 06:25 /var/log/mail.log.4.gz
mail:~# zgrep HIDDEN /var/log/mail.log*
mail:~#

    The last email sent to this address was via iContact.com on 17th July 2009:

    Received: from smtp15.icpbounce.com ([::ffff:216.27.93.111])
 by faelix.net with esmtp; Fri, 17 Jul 2009 23:30:51 +0100
 id 000010FE.4A60FB9D.000039C9
Received: from localhost.localdomain (localhost [127.0.0.1])
       by smtp15.icpbounce.com (Postfix) with ESMTP id D37AA6A0C98
       for <HIDDEN>; Fri, 17 Jul 2009 18:01:58 -0400 (EDT)
Date: Fri, 17 Jul 2009 18:01:58 -0400

    Timeline

    March 2002
    photonlight@maz.nu receives its first iContact.com mail
    1st January 2008
    HIDDEN receives its first iContact.com mail
    7th Feb 2009
    macheist.com@maz.nu receives its first iContact.com mail
    1st April 2009
    macheist.com@maz.nu receives its last iContact.com mail (address now blacklisted)
    2nd April 2009
    bloomsbury.com@maz.nu receives its first iContact.com mail
    14th May 2009
    slimes@maz.nu receives its first iContact.com mail
    17th July 2009
    HIDDEN receives its last iContact.com mail (address still valid)
    27th July 2009
    bloomsbury.com@maz.nu receives its last iContact.com mail (address now blacklisted)
    30th December 2009
    photonlight@maz.nu receives its last iContact.com mail (address now blacklisted)
    18th January 2010
    slimes@maz.nu receives its last iContact.com mail (address now blacklisted)

    At first I wondered if the anomalous address, HIDDEN, was an indicator that perhaps only addresses recently sent a newsletter by iContact.com had been breached (i.e. those contacted after 17th July 2009). The counter-example is macheist.com@maz.nu which has been receiving emails only via Google’s mailers since April 1st 2009, so that theory doesn’t hold water. However, it would appear that not all of my addresses on file at iContact have been spammed yet, so perhaps this isn’t a total breach… or perhaps I’m still waiting for HIDDEN to be hit!

    0 notes
    Comments (View)

blog comments powered by Disqus