Flyertalk database leak?
#1
Original Poster
Join Date: Mar 2010
Posts: 5
Flyertalk database leak?
I've just received a spam offering "iPad Video Lessons" to an email address that was only ever used to register my account on this forum.
If you're selling the database, this isn't clear on sign on. If you're not selling the database, you have a security problem!
If you're selling the database, this isn't clear on sign on. If you're not selling the database, you have a security problem!
#2
Join Date: May 2004
Location: Exclusively OMNI/PR, for Reasons
Posts: 4,188
There are more ways to obtain email addresses than just a security breach on the host's web site. You could have logged in from a public workstation infected with a keylogger (which may have actually been installed by the sponsor of the public workstation), or (if the address is not terribly complicated) been the victim of a "lucky guess," machine-generated or otherwise.
I nevertheless would be very interested to hear if there was a security breach at IB.
I nevertheless would be very interested to hear if there was a security breach at IB.
#3
Original Poster
Join Date: Mar 2010
Posts: 5
There are more ways to obtain email addresses than just a security breach on the host's web site. You could have logged in from a public workstation infected with a keylogger (which may have actually been installed by the sponsor of the public workstation), or (if the address is not terribly complicated) been the victim of a "lucky guess," machine-generated or otherwise.
I nevertheless would be very interested to hear if there was a security breach at IB.
I nevertheless would be very interested to hear if there was a security breach at IB.
I use a different email address for every site I register on, and if something was grabbing emails (or worse still credentials) from my end I'd be seeing this problem all over the place.
It would also have to be an amazing lucky guess. There's plenty of email addresses on my domain that the spammers' crawlers know about (e.g. the one I used to use on Usenet) but spam to addresses I've used on 3rd party sites have only ever happened because of breaches on those sites.
#4
FlyerTalk Evangelist
Join Date: Sep 2000
Posts: 37,486
I've never used this site other than from an Apple MacOS X desktop and laptop that are under my direct control (not that those are completely immune, but they're a damn sight better than any Windows box).
I use a different email address for every site I register on, and if something was grabbing emails (or worse still credentials) from my end I'd be seeing this problem all over the place.
It would also have to be an amazing lucky guess. There's plenty of email addresses on my domain that the spammers' crawlers know about (e.g. the one I used to use on Usenet) but spam to addresses I've used on 3rd party sites have only ever happened because of breaches on those sites.
I use a different email address for every site I register on, and if something was grabbing emails (or worse still credentials) from my end I'd be seeing this problem all over the place.
It would also have to be an amazing lucky guess. There's plenty of email addresses on my domain that the spammers' crawlers know about (e.g. the one I used to use on Usenet) but spam to addresses I've used on 3rd party sites have only ever happened because of breaches on those sites.
#5
Join Date: Feb 1999
Location: San Jose, California, USA
Programs: AS 100K, UA MM, AA MM, IC Plat Amb, Marriott Gold, Hilton Gold, Hyatt Explorist
Posts: 3,146
I also have my own domain name and give each entity its own customized email address so that I can better track where leaks occur. I can't speak for the OP, but in my case, the email addresses I create can consist of two words, a special character, and a number. There's no way that a spammer can guess this format out of the blue.
I have received spam at several of my custom email addresses, but thankfully, none yet to my FlyerTalk custom email address. I don't use my FT email address for login purposes; I always use my username.
Yes, there are other ways to get my FT email (such as via notifications that FT sends), but if/when I do receive spam to my FT email address, I'd be just as suspicious as the OP as to how it happened.
I have received spam at several of my custom email addresses, but thankfully, none yet to my FlyerTalk custom email address. I don't use my FT email address for login purposes; I always use my username.
Yes, there are other ways to get my FT email (such as via notifications that FT sends), but if/when I do receive spam to my FT email address, I'd be just as suspicious as the OP as to how it happened.
#6
A FlyerTalk Posting Legend
Join Date: Jun 2004
Location: Either at the shooting range or anywhere good beer can be found...
Posts: 51,050
I received an email that said, "This is (person's name) from flyertalk" and then was your standard spam message about money. Perhaps there was some sort of issue?
#7
No longer with Internet Brands
Join Date: Mar 2011
Location: Los Angeles, CA
Programs: DL DM 1.6MM, Marriott LT Plat
Posts: 5,343
There are other ways to get FT email from people you don't know. To curtail this, go to:
MyFlyerTalk
Edit Options
Messaging & Notification
Receive Email
UNCHECK "Receive Email from Other Members"
MyFlyerTalk
Edit Options
Messaging & Notification
Receive Email
UNCHECK "Receive Email from Other Members"
#8
Moderator: Lufthansa Miles & More, India based airlines, India, External Miles & Points Resources
Join Date: Dec 2002
Location: MUC
Programs: LH SEN
Posts: 48,171
Another point to note is that your email ID goes to the moderators email account if you report a post. If I look at my gmail 'contacts' I see dozens of people I have no clue who they are. Investigation revealed that they reported posts and the gmail assumed that they are sending me email. So if there ever is a breach of my gmail and the contact list is used to spam, these FTers will receive spam.
#9
Join Date: Apr 2007
Location: SEA
Programs: AS MVP, Hhonors Gold, National Executive, Identity Gold, MLife Gold
Posts: 2,687
Another point to note is that your email ID goes to the moderators email account if you report a post. If I look at my gmail 'contacts' I see dozens of people I have no clue who they are. Investigation revealed that they reported posts and the gmail assumed that they are sending me email. So if there ever is a breach of my gmail and the contact list is used to spam, these FTers will receive spam.
IBobi - Sending the notification via PM is the standard implementation that I've seen on most internet forums. For security/privacy reasons (as well as many others), can IB please investigate what it would take to change the notification system?
#10
No longer with Internet Brands
Join Date: Mar 2011
Location: Los Angeles, CA
Programs: DL DM 1.6MM, Marriott LT Plat
Posts: 5,343
This is a great reason why those notifications should NEVER go to a user's email, but to their PM box instead.
IBobi - Sending the notification via PM is the standard implementation that I've seen on most internet forums. For security/privacy reasons (as well as many others), can IB please investigate what it would take to change the notification system?
IBobi - Sending the notification via PM is the standard implementation that I've seen on most internet forums. For security/privacy reasons (as well as many others), can IB please investigate what it would take to change the notification system?
#11
Flyertalk Evangelist and Moderator: Coupon Connection and Travel Products
Join Date: Jul 2000
Location: Milton, GA USA
Programs: Hilton Diamond, IHG Platinum Elite, Hyatt Discoverist, Radisson Elite
Posts: 19,040
I have asked for this feature for years... makes it much easier to respond to members as well. Not sure how it would overload moderator mailboxes... but I can understand overloading the IB database...
#12
Join Date: Apr 2007
Location: SEA
Programs: AS MVP, Hhonors Gold, National Executive, Identity Gold, MLife Gold
Posts: 2,687
I think this needs to be clarified in the privacy policy. Even if moderators are considered to be IB employees (and I don't think that is the case), I assume IB maintains no responsibility for the security/integrity of the information in their computers. I would expect this to be clarified in section 7 (and possibly other sections as well).
Please update this thread when this FlyerTalk user privacy issue has been addressed.