A “hacker” stole millions of names and email addresses –were you a victim too?
Information is the new gold. Information about you is being collected and collated and, unfortunately, shared with companies and organizations without your knowledge, permission, or consent. The companies who collect this information are companies you do business with and trust. Companies like Best Buy, Target, Disney, Verizon, Capital One, Chase, MasterCard, Visa, Kroger, and many others.
Recently, it became known that over 2500 companies, those mentioned above and others, had sold or given some of the information they had about you to a company you probably never heard of before. The company is called Epsilon. Epsilon is a company who does email marketing for thousands of companies including retail stores, restaurants, hotels, cell phone providers, entertainment companies, banks, and credit card companies. There’s a good chance if you do business with any major retail store, bank, restaurant, cell company, hotel, etc. and you regularly do business with them off or online – and you have given them an email address, they have a file with your name on it. And in that file with your name on it is information about you – your name, your email address, and products or services you have purchased. While you may have thought you were giving this information only to, let’s say Target, Target was giving your information to Epsilon so that Epsilon could send you emails that appeared to come from Target.
In most other cases, someone who sent you email pretending to be someone else, would be spam or illegal, but Epsilon’s business is email marketing – not spam. Companies like Verizon, Kroger, Capital One, etc. pay Epsilon to send emails on their behalf. The line between email marketing and spam is thin. In this case the stores, banks, restaurants, service providers, etc. paid Epsilon to provide email marketing services for them. In order to provide that service, the companies had to turn over a customer database containing names and email addresses and marketing information (what products and services you use, how much you spend per purchase, possibly your age and income, and other general information) to Epsilon so they could send you emails which appeared to come from the companies you do business with. So when you got that email from Best Buy, or Verizon, or Capital One, or Disney – or any of 2500 other big companies on Epsilon’s client list, it really came from Epsilon – and not Best Buy, Verizon, etc.
You didn’t know that and you probably would have never known it had it not been for the fact that Epsilon’s database was breeched by a “hacker” and all that information was stolen. No one knows for sure where the hacker or hackers are located – no one even knows for sure that it wasn’t an inside job. No one knows much of anything yet except Epsilon’s database was stolen and in that database there probably was a file on you and me. There were tens of millions of names and email addresses stolen. Each email address and name may have had some the other information attached to it – what you purchased most often, how much you spent, your preferences – basically information about what kind of customer you are, your preferences, and your buying history. But none of the information in the files that were stolen contained any highly sensitive information (credit card numbers, home addresses, social security numbers, cell phone or house phone numbers) at least as far as anyone knows.
It is highly probable that no sensitive information was stolen. But the information that was stolen is still highly valuable. It was valuable to the companies you do business with, it was valuable to Epsilon, and now it’s valuable to the criminal or criminals who stole it. It’s valuable to criminals who stole it because now rather than operating a random spam operation where tens of millions of emails were sent hoping to make a few hundred sales or attempting to infect a few tens of thousands of computers, the criminals now have enough information to conduct realistic-looking email marketing targeted to your preferences and your buying patterns. Now the criminals know you like pepperoni & onions on your Domino’s pizza, they know you have a credit card with Capital One, they know you’ve been to Disney World and you like to stay at several Disney properties. They know you how often you shop at Kroger. The know what you like when you shop at Target. They know you have a Verizon Droid cell phone and that you recently bought a Bluetooth headset. The criminals know as much or as little as the companies you do business with – and as much or as little as Epsilon knows. And they will address the email to you – like “Dear Charlotte Billings” – not “Dear Valued Customer”.
So now you have two kinds of spam you have to be watching for – the kind you’ve come to know and hate; and the kind that looks just like the emails you normally receive from companies you do business with. And you’re going to have to be very careful in the future that you don’t make a careless mistake and give up any sensitive information to the criminals – and that you don’t download any malicious software (bots, Trojans, spyware, or expensive but useless software) on your computer.
The basic Email safety rules apply – but now you have to be even more vigilant.
One thing for sure, if it came from the criminals and you click links in that email it’s going to lead to some bad things – Trojans, bots, or other nasty software which could be installed on your computer – or you may be tricked into giving up your credit card number, social security number, home address or cell phone number to the criminals.
It’s very important that you take every possible step to protect yourself:
1. Change your email address with the companies you do business with. You can do this without creating new email accounts. Use Gmail’s PLUS email addressing. If you don’t have a Gmail account, create one.
We cover Gmail’s PLUS addressing here.
Briefly, if you receive updates from any of the companies who used Epsilon at your email@example.com – here’s what you need to do.
Go to the company (let’s say Verizon) and change your email address to firstname.lastname@example.org . You don’t need to create a new Gmail address, use Gmail’s PLUS feature. Then, create a rule in Gmail that all mail from Verizon Wireless to email@example.com be sent to the spam folder. You just rendered the address the criminals stole useless.
If you do this with all your accounts – firstname.lastname@example.org , email@example.com – any emails you get to those addresses will be valid because they’re all “new” – and any that come to the old email address (which was stolen from the companies involved) will be sent to your spam folder. And you can do all this without even creating a single new email address. We will cover how to
2. Now would be an excellent time to change your passwords – or all your accounts. Never use the same password for more than one account. Don’t use simple passwords. Use strong passwords (12 characters, numbers, symbols). Create a random password using a password generator like the one that comes with LastPass. And use a password manager like LastPass to remember those passwords for you – and to automatically fill forms on sites you need to log into. LastPass is free – so there’s no reason for you not to be using a good password manager. Get LastPass from http://www.lastpass.com/ .
3. Use good security software and keep it updated. Emsisoft protects you from malware, ransomware, PUPs and other threats better than any other software we’ve tested. Read more about Emsisoft here.
4. Don’t click links in emails which ask for sensitive personal information, password changes, or credit card information. If you need to check an account or change a password, type in the URL in your address bar – and always – ALWAYS — make sure the URL begins with https:// and not http:// – any time you are dealing with sensitive information like credit card numbers, social security numbers, bank account numbers, etc. This applies to all emails – legitimate companies NEVER ask you to click a link in an email to verify your personal information or change a password. NEVER.
5. Use your head. Don’t panic and don’t listen to those who try to scare you into buying things like Lifelock or some other program guaranteed to protect your identity. Don’t waste your money. Use your common sense – it’s the best software protection you can’t buy.
It is almost a certainty that you will be bombarded with spam in the coming weeks — and you’ll continue to be bombarded until you get those email addresses changed. You will also be seeing a lot of ads and tech articles about security programs and firewalls. Everyone will be out to get your money; everyone will be making wild promises about how well they can protect you and your identity. There’s only one thing in the world that can protect your identity, 100% of the time – your own common sense and your knowledge. Don’t panic. And don’t believe those people who try to scare you into action – they’re only scaring you so they can profit from this unfortunate incident.
We all live in the age of information; we all live in the age where information has become highly valuable. Information is the new gold and until the companies who store and maintain legitimate databases of information is guarded like Fort Knox, more incidents like the Epsilon incident are going to happen. It’s nearly impossible to shop or buy anything – online or offline – anymore without information being collected. We all have had to trade a little privacy for a lot of convenience. The secret is knowing how to contain the potential damage and to reduce the potential risks. The Epsilon incident just highlights the fact that your information is being bartered and shared between companies without your knowledge or consent. We’d never heard of Epsilon before the week and you probably hadn’t either. There are, no doubt, other companies out there performing the same “services” as Epsilon. We don’t know who they are and you probably don’t either.
What really matters now is that you know how to react to this situation. You need to be aware and concerned – but you don’t need to be afraid and you don’t need to panic. This latest theft of email addresses, names, and information is serious, but it’s not the end of the world; your identity is still safe. We’re trying and will always try to help you keep it that way.
(If you want to read more about Epsilon and the theft of its databases, here’s a good article to read.)
Hey TC and EB!
In the article above you mention using LastPass. Is there any reason why you recommend LastPass and not Roboform? I have been using Roboform for years and now I’m having a few challenges with it since switching to a Mac.
Thanks so much for any help you can give on this subject.
No problem with Roboform per se. We just think when you sell lifetime licenses they should be lifetime licenses. Roboform’s were supposed to be lifetime licenses but now since version 7 was released, they want you to buy a new license in order to upgrade. Not good business. LastPass is free and works nearly as well. I use it and I’m happy with it.
I thought it might be interesting to some if I passed on what I discovered in the address line of a particular spam email, I looked at this afternoon. I’ve received this same email before sent by the same person with the identical subject line.
(from Julia Ward, Subject..”Don’t pay another cable bill again.”) I once knew a real Julia Ward, so I read the email even a 2nd time.
The email I received today was different than the previous one. In today’s email, the “To” field had about 8-10 email addresses in the 1st line..none of which was mine…not unusual for spam. I thought “dumb, they didn’t use the BBC field.
Then, I noticed there was a little slide bar to the right of the address window, and curiosity made me take a look. (I counted) 197 lines in the address window. That’s 197 lines x 8-10 per line!!!??? You can do the math. Don’t know why they stopped at 197 lines, but that’s the number.
Then, while still looking for my name, I noticed that all addressees were in alphabetical order, and all started with the letter “M”. It made me wonder…now WHERE did they get that list? Perhaps stolen from Epsilon? The rest of the “M’s”
and the A’s B’s C’s, etc. will probably be sent under a different name with the same subject, from the same spammer.
Anyway, my name was really on that list….with the address my ISP (Verizon) and a few select other’s have. I’m very careful about who I give that address to. Everybody else, including my bank and charge card accounts were given one of my gmail addresses.
I think in the next day or so, I’ll start checking gmail’s spam filters looking for emails with over 2-3 lines in the “To” field, so I can start using the gmail firstname.lastname@example.org system that TC and EB recommended.
I don’t ever remember seeing that many addressees in a single email before…..maybe you have. I often check addressees of spam emails, just to see if my name is really there. Many times it’s not, but I’d remember if I had to search through that many names before.
I might add that my spam filter at Verizon mail is turned “off”
because of their “censorship”. (emails from family and friends consistently ended up in the spam folder). I’d like to think Julie Ward’s email, and not my sister’s, would have gone to the spam folder, but who really knows.
By the way that spam email promotes something called
“Omni PCTV” For a one-time fee (unknown at this point) , they’ll let you download software that will enable you to watch 3,500 premium TV channels on your PC — for life–no charge. Then in the last paragraph it says “by making the switch to Satellite Direct…blah, blah”
So your guess is as good as mine who the company actually is. There’s no way I’m going to click on any links in that email to satisfy curiosity.
PS: To my surprise, I get very little real spam since I turned OFF my ISP spam filter and added some gmail accounts. I get ALL my mail, and using the “delete” is a lot less frustrating.
I have to say that Gmail does a GREAT job with spam. Only one time did I find something in the spam folder that was NOT spam. AND, I get lots and lots of emails.
Sorry. Didn’t mean to turn this into a “blog”, but I guess I did. I’ll do better next time.
I have tried using the “address” as you recommend, on several different sites. Old and new.
when i add the +kroger (etc) it says email address not valid.
I know i can’t have as many email addresses, as i have sites i get email from.
What am i doing wrong.
Thank u for all your help