cancel
Showing results for 
Search instead for 
Did you mean: 

Potential email address leak?

hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Potential email address leak?

I received a two spam emails today. One to an email address I only ever used for the UserGroup forum (last used 2009) and one I only use to receive Plusnet Service Status messages.
They both have the same source IP address in Vietnam.
Do we have a problem?
22 REPLIES
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: ‎11-08-2007

Re: Potential email address leak?

I wonder if you are seeing another instance of this - New email security breach at Plusnet ? (Feb 2016)
... which Plusnet have not made any comment on, in an entire month !
Crazy

If you look at your email headers, do they also contain other Plusnet customers email addresses, particularly mailbox names that look to be associated with the Usergroup forum ?
hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Potential email address leak?

No, they seem more like the initial test messages sent out in this previous example.
hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Potential email address leak?

Today I received the next messages with zip attachments.
I am surprised that I seem to be the only one posting about this, given the furore in  late 2014.
So I contacted Plusnet support, where it was suggested I keep posting here or call tomorrow during office hours. That latter suggestion is not practical for me, so I will post again. I will also post a single message on the end of the old topic, in case someone spots it there who is interested.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: ‎31-08-2007

Re: Potential email address leak?

Hello John, sorry to hear about your problems, do keep us updated. Thanks for posting about this, as if it weren't for Nibiru's response I wouldn't have know about that post in February - missed that one. Let's hope anyone else with similar problems responds as well.
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: ‎11-08-2007

Re: Potential email address leak?

... and I likewise didn't find this related topic - "Spam to Plus.net Service Status specific email address @ 2016/01/21 22:53"  until just two days ago !  Undecided
HolaPussycat
Grafter
Posts: 50
Registered: ‎29-03-2011

Re: Potential email address leak?

Thank you for linking all the topics together guys, I've been so busy lately, I haven't had a chance badger Plusnet for a response on my previous post.
I've just checked my server logs (obviously I can now only see attempted deliveries to a mailbox that doesn't exist) and sure enough, there have been some more attempts to deliver to that address:
Quote
swoofe.ru
149.154.68.194
webmaster Cry mg-spb.ru
Mar 14, 2016 1:04:01 AM
nschwmtas03p.mx.bigpond.com
61.9.189.143
grimreepa Cry bigpond.com
Feb 5, 2016 11:59:11 AM

mail-am1hn0245.outbound.protection.outlook.com
157.56.112.245
Thorstein.Olafsson Cry omega.no
Feb 3, 2016 4:37:16 PM

Crying emoticon in the sending addresses (possibly not falsified in the case of the second one) replacing the obvious character,
James
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: ‎31-08-2007

Re: Potential email address leak?

And still no comment from Plusnet!
hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Potential email address leak?

For info, I haven't received other spam to the two targeted email addresses.
The Plusnet Service Status address is still working, as it received a couple of genuine messages today.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: ‎31-08-2007

Re: Potential email address leak?

Well I suppose that can only be a good thing John.
hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Potential email address leak?

I just received a pair of 'test' messages, with the same content as the initial ones a month ago. This time from a Mali IP address.

 

If Plusnet are ignoring this, hoping it will go away, it ain't working.

Superuser
Superuser
Posts: 12,723
Thanks: 3,982
Fixes: 26
Registered: ‎22-08-2007

Re: Potential email address leak?


Anotherone wrote:
And still no comment from Plusnet!

And that's after a couple of PMs to one of the management team.

Sadly after the pasting @bobpullen got last time he tried to be up front and honest about matters such as this, I'm not surprised (even though it saddens me) that there is no response here from the front line team.  Sadly I suspect that PN towers is being run by the BT legal lads these days, rather than honest engineers of days long time past.

hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Potential email address leak?

I received a repeat of the initial messages again, on 24/04/16.

 

So I have submitted a question to Plusnet.

 

What's the betting the first response is a link to spam advice, instead of an actual answer to my question...

hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Potential email address leak?

I had a 24 minute online chat about this today.

 

info: You are now chatting with C.
C:
Good afternoon, I'm C. How can I help?

Me: Hi C
C:
Hi J.

Me: I have a problem that I have posted on the community forum at https://community.plus.net/t5/Email/Potential-email-address-leak/m-p/1329269
C:
Okay.

Me: Do you want to look at the forum or for me to repeat stuff here?
C:
I'm just having a look at the post myself.

C:
What mailboxes are the messages received by, are they targeted at random addresses?

C:
If you have 'catch all' enabled on your account then this might indicate the cause of the problem.

C:
I am aware of this issue and have previously discussed the issue with security and data protection officers but we haven't found any evidence of a genuine leak of information.

Me: I will disregard your first two responses as they are meaningless in the light of my posting. The targeted mailboxes were only ever together within Plusnet and are the only mailboxes being targeted. The latter is evidence that they were harvested together and the former is the only place they could have been harvested. This supports the only possible conclusion that they were leaked from data held by Plusnet.
C:
The Plusnet User Group service is in fact operated by a third party and not as part of Plusnet. So this is not indication of a security breach within Plusnet's organisation.

Me: Can you explain any other connection between the usergroup email address data and the status email address data?
C:
I don't unfortunately have any more information on this specific problem. My advice at this stage is to enable the 'catch all' and if you are receiving spam mail to use our spam filter.

Me: I already have catchall enabled but, as I am careful with my email addresses, I receive approximately 7 spam emails per week (plus the two I have received due to this problem). I therefore do not need a third party spam filter. Thanks for your suggestion, but it does not have any bearing on determining the cause or source of the leaked data.
C:
Okay, then at this stage I would advise to wait a further response in regards to this issue on the community forum page.

Me: Does that mean that Plusnet will be continuing to investigate?
C:
We will work closely with those who moderate the user group, user tools and community forum to investigate the issue and provide an appropriate investigation and response.

Me: Thanks C, I will post further responses to the forum.
C:
No problem. Is there anything further that I might be able to help you with?

Me: No, thanks.
C:
It's been great chatting to you today. I really appreciate your time and would love to hear any feedback that you might have.

Please click this link to close the chat and answer a few questions about the experience you have had with me today.

Don't forget to subscribe to <a href="www.youtube.com/user/plusnethelp target=" _blank="">Plusnet Help on YouTube for further help and support.

Enjoy the rest of your day!

The info I gleaned from that was that somewhere, sometime, usergroup email address data and Plusnet service status email addresses existed together in the same place and that was the point of vulnerability..

 

PS. The only changes I made to the above chat were the names and my typos (to make it easier to read).

Superuser
Superuser
Posts: 12,723
Thanks: 3,982
Fixes: 26
Registered: ‎22-08-2007

Re: Potential email address leak?

OK so from the above, a simple question: in who's domain / control / environment is the pug service hosted?

The chat agent's response does not seek to deny that these emai addresses have been leaked, only denial is that anything has been leaked from PlusNET controlled services.  That being the case, the implication in the response is that PlusNET has no breach case to answer.

So now that the forums are hosted by a third party, holding customer email addresses provided by PlusNET, who assumes responsibility for the security of that data?  PlusNET who acquired the data or lithium into whose hands it has been entrusted.

it seems to me that on each of the recent occasions where an email address used exclusively in association with a user's PlusNET account ir associated servuce has escaped into the wild, a third party has been involved.  What is it going to take for PlusNET to realise that the only way they can properly control access to client information is to keep it and the systems which use it in house behind their own security systems?

I wonder how long before the exclusive email address I setup for my forum identity (prior to this data being passed to lithium) escapes into the wild?

If you want to protect the integrity of your primary email address, make sure that's not the email address used on this forum.

PlusNET users can have email addresses in the form of anything1@username.plus.com.

If you have catch-all switched on, they will arrive in your default mailbox, if you prefer to have catch-all switched off, make anything1 an alias of the mailbox you want to receive those emails.