Marek Isalski, Entropy Source
Update: Likely Data Security Breach at iContact.com
On the day I posted Suspected Data Security Breach at iContact.com I was contacted via Facebook by someone with an email address @icontact.com. I forwarded them the same information that I sent to their abuse team. I’ve not heard anything back since.
Others have picked up on this likely breach at iContact.com:
- Joshua Baer on the deliverability.com blog
- Laura Atkins on the wordtothewise.com blog
- @sandheepks on Twitter
iContact have answered some concerns: they are looking into the problem.
I have been contacted by one of the sites/services whose address-list has been breached, simply to ask to be kept in the loop with iContact.com’s response.
I have done some further research into my mail folders. I have found one address which iContact.com have on record which has not yet received any spam. As a result, this address hasn’t been compromised and has been replaced by HIDDEN on this public website. iContact’s abuse team has been provided with the full details, however:
Received: from smtp7.icpbounce.com ([::ffff:216.27.93.119])
by faelix.net with esmtp; Tue, 01 Jan 2008 01:12:36 +0000
id 000013C1.47799384.00003B72
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp7.icpbounce.com (Postfix) with ESMTP id 43D6197750
for <HIDDEN>; Mon, 31 Dec 2007 19:54:34 -0500 (EST)
Date: Mon, 31 Dec 2007 19:54:34 -0500
This address hasn’t received any emails this month:
mail:~# ls -l /var/log/mail.log* -rw-r----- 1 root adm 9351785 2010-01-28 11:45 /var/log/mail.log -rw-r----- 1 root adm 13870643 2010-01-24 06:23 /var/log/mail.log.1 -rw-r----- 1 root adm 1451508 2010-01-17 06:24 /var/log/mail.log.2.gz -rw-r----- 1 root adm 1257403 2010-01-10 06:24 /var/log/mail.log.3.gz -rw-r----- 1 root adm 1828195 2010-01-03 06:25 /var/log/mail.log.4.gz mail:~# zgrep HIDDEN /var/log/mail.log* mail:~#
The last email sent to this address was via iContact.com on 17th July 2009:
Received: from smtp15.icpbounce.com ([::ffff:216.27.93.111])
by faelix.net with esmtp; Fri, 17 Jul 2009 23:30:51 +0100
id 000010FE.4A60FB9D.000039C9
Received: from localhost.localdomain (localhost [127.0.0.1])
by smtp15.icpbounce.com (Postfix) with ESMTP id D37AA6A0C98
for <HIDDEN>; Fri, 17 Jul 2009 18:01:58 -0400 (EDT)
Date: Fri, 17 Jul 2009 18:01:58 -0400
Timeline
- March 2002
- photonlight@maz.nu receives its first iContact.com mail
- 1st January 2008
- HIDDEN receives its first iContact.com mail
- 7th Feb 2009
- macheist.com@maz.nu receives its first iContact.com mail
- 1st April 2009
- macheist.com@maz.nu receives its last iContact.com mail (address now blacklisted)
- 2nd April 2009
- bloomsbury.com@maz.nu receives its first iContact.com mail
- 14th May 2009
- slimes@maz.nu receives its first iContact.com mail
- 17th July 2009
- HIDDEN receives its last iContact.com mail (address still valid)
- 27th July 2009
- bloomsbury.com@maz.nu receives its last iContact.com mail (address now blacklisted)
- 30th December 2009
- photonlight@maz.nu receives its last iContact.com mail (address now blacklisted)
- 18th January 2010
- slimes@maz.nu receives its last iContact.com mail (address now blacklisted)
At first I wondered if the anomalous address, HIDDEN, was an indicator that perhaps only addresses recently sent a newsletter by iContact.com had been breached (i.e. those contacted after 17th July 2009). The counter-example is macheist.com@maz.nu which has been receiving emails only via Google’s mailers since April 1st 2009, so that theory doesn’t hold water. However, it would appear that not all of my addresses on file at iContact have been spammed yet, so perhaps this isn’t a total breach… or perhaps I’m still waiting for HIDDEN to be hit!