Forums hacked – for the 3rd time!

[spunkarooney]

Forums hacked – for the 3rd time!

23/05/2008 http://www.frequentflyer.com.au/community/open-discussion/have-changed-title-13331.html%20started%20by%20me%2023/05/2008
30/12/2009 http://www.australianfrequentflyer.com.au/community/open-discussion/forums-have-again-been-hacked-20884.html

And now again on 23/10/2010.

How many times is this going to happen?

Allow me to explain, yet again:

The email address I have used for the Australian Frequent Flyer forums is not used anywhere else. That is, only these forums and me know the email address. The email address was changed after each of the two previous security breaches.

Today I received spam to that email address, this time with the subject line “sup4r-low prices!” (the email leads to a dodgy “pharmac_” site).

I accept that this site uses third party providers for its forums and other services however this is now the 3rd time there has been such a breach.

In the years I have employed this practice of using unique email addresses for sites I subscribe to, I have never had a site with so many breaches. Other sites have had a breach, they have been informed, and there has been no further breach. What is going on here?

On 02/01/2010 the administrator stated:

Over the last 18 months, we have invested heavily in new infrastructure, security staff and process to ensure that our forum data remains secure and confidential. I am confident that the databases that we manage are as secure as they can be.
​

Given the ongoing breaches, I don’t accept this.

The admin also stated:

That said, there was a security breach in the subscription database of The Frequent Flyer Gazette, our weekly newsletter which many of you receive. The Frequent Flyer Gazette is a completely separate to AFF. It has its own domain name and subscription database. We use a Aweber, the leading subscription management company and a highly reputable company, to manage this subscription list and send the weekly newsletter.
​

Now, I’ve just checked the blog of Aweber, and guess what? Yep, they’ve again been hacked http://www.aweber.com/blog/uncategorized/data-accessed.htm :

Over the weekend, AWeber was the target of a deliberate and successful attempt to mine email addresses.
​

As if to share the blame, in the vein of “we’re just as bad as the others”, the CEO states:

This incident appears to be part of a broader series of similar successful attacks on a number of email service providers (ESPs).
​

Seriously, if an email marketing mob can’t maintain its lists securely then who can? This is the core of that mob’s business.

So, what is AFF doing about the security of its subscriber database?

 

[TheInsider]

It's an email address, is it really that big of an issue though?

Or are you meaning some other data being stolen?

 

[markis10]

I am not sure what the point is here, what have you lost, a spam free email address?

 

[drron]

doesn't worry me-someone from Nigeria is going to give me $US14.5 million.Make EXP again.:shock:

 

[admin]

Please refer to my post at http://www.australianfrequentflyer....ave-again-been-hacked-20884-3.html#post366930

Our forums have not been hacked. The data on our site, which is under our control, remains secure.

To restate: What has happened is that the company we use for the distribution of The Frequent Flyer Gazette (our weekly newsletter) has had a security breach and the email addresses have used by an unauthorised party. The company we use is aweber (www.aweber.com), one of the best and most reputable email list management companies.

* Are we disappointed? Sure we are.

* What can we do about it? Other than moving from aweber, not much. And if we did move to another company, there is no guarantee that it won't happen to that company. Unfortunately, such security breaches are not uncommon.

* Is it a big deal? You will be getting some spam, so if thats important to you then I guess it is a big deal. For me, its no big deal. I have accepted that spam is an unfortunate reality of the online world and do have spam filters which trap most of the spam.

Remember you always have the option of unsubscribing from our newsletter. So if its a big deal, simpy unsubscribe.

 

[spunkarooney]

I am not sure what the point is here, what have you lost, a spam free email address?

The point is data security. And, it's not just me. Clearly I have in place measures to remain spam free.

Ever wonder where spammers get your email address from? Well, it's from data breaches like this.

You appear to be unconcerned about this. I believe you should be concerned about the security of your information.

 

[TheInsider]

You appear to be unconcerned about this. I believe you should be concerned about the security of your information.

Concerned about an email address, that as you say use just for AFF and AFF only???

 

[oz_mark]

I also use an email address that is only used for AFF, and as yet have never received any spam at that address.

doesn't worry me-someone from Nigeria is going to give me $US14.5 million.Make EXP again.

They obviously don't trust me. They are only offering me $US9 million :mrgreen:

 

[TheInsider]

They obviously don't trust me. They are only offering me $US9 million :mrgreen:

Lol and i'm only getting emails to make me 'larger' and cough!

 

[serfty]

spunkarooney, did you change your "AFF" email addresses on both this foum and the newsletter since you reported the breach earlier this week and, if so, did this come on the new email address?

 

[Dalescott]

Spam is just like the junk you get in your letter box. Only it's not supermarkets that send you spam. Just up you spam filter, and she be right mate.

 

[straitman]

spunkarooney,

IMHO what you need to do is start again with two new email addresses, one for AFF and one for the newsletter.

Then see what happens. IF you get spam in both or the one specifically for AFF then there really is an issue and I'll be really surprised. If it is only on the newsletter address then it is as admin has said and the site data is secure.

 

[spunkarooney]

spunkarooney, did you change your "AFF" email addresses on both this foum and the newsletter since you reported the breach earlier this week and, if so, did this come on the new email address?

My forum and newsletter email addresses are different. None of the email addresses have yet been changed though I'll be changing the newsletter one, the one which was breached.

As for reporting this, I haven't reported it to Aweber, only here in this thread. The breach may have occured earlier in the week, but I only received the spam this morning.

I guess that the "hackers" needed a few days to sell the list.

 

[spunkarooney]

spunkarooney,

IMHO what you need to do is start again with two new email addresses, one for AFF and one for the newsletter.

Then see what happens. IF you get spam in both or the one specifically for AFF then there really is an issue and I'll be really surprised. If it is only on the newsletter address then it is as admin has said and the site data is secure.

Yep, that's what I already have — two seperate email addresses. I funnel thouse into one AFF folder on my machine.

Well you guys really are defending the indefensible — you're just as responsible for the email addresses associated with the list as well as the forums. Your customers don't care that you have outsourced it.

In the end, I've brought this to your attention but I could have just as easily lodged a complaint with the ACMA, the Federal Privacy Commissioner, or referred it to media contacts.

I don't appreciate the dismissive nature of some responses. Data security is very important.

What if next time they hack the forum list and release the user names and so on? People's careers could be at risk based on some of the posts I have seen.

I like participating in here when I can, but wow, I'm going to be very careful with what I say because who knows when security might next be breached and what might be revealed and how you (site management) will trivialise the event.

 

[JohnK]

I forget which email address I used for AFF but to be honest I do not really care about spam email. And I believe I did not provide any sensitive information about myself when I joined AFF anyway.

My main email address has started receiving spam (I believe it originates from places like SEEK, LinkedIn which are all reputable places) in the junk mailbox but I just ignore it. After 10 days the spam email is deleted and if I really get bored before the 10 days I do not open the spam email but simply mark it as a phishing scam.

 

[Sprucegoose]

doesn't worry me-someone from Nigeria is going to give me $US14.5 million.Make EXP again.:shock:

Ron,

I am on my third offer this year!!!

I spam them back!!!

 

[Sprucegoose]

the thing about the internet is there is nothing private about it. Realistically you need to approach it on that basis.

 

[medhead]

Forums hacked – for the 3rd time!

Lol and i'm only getting emails to make me 'larger' and cough!

And I only get the offers to make me tighter.

 

[Sprucegoose]

Ron,

I am on my third offer this year!!!

I spam them back!!!

Its like the Indian call centres. I talk about India for 20 minutes and hang up.

 

[spunkarooney]

the thing about the internet is there is nothing private about it. Realistically you need to approach it on that basis.

An Australian organisation is bound by Australian laws — no matter who outsourced to.