FlyerTalk Forums - View Single Post - Barclays/US Mastercard among dozens of companies with breached email lists
Thread: Barclays/US Mastercard among dozens of companies with breached email lists
View Single Post
Old Apr 4, 2011 | 8:51 pm
  #1  
dcpatti
 
Join Date: Dec 2006
Location: Washington, DC
Programs: US-CP, UA, Marriott Rewards, HHonors, Avis,
Posts: 4,549
Barclays/US Mastercard among dozens of companies with breached email lists
Read more here: http://www.pcworld.com/article/22411...ty_breach.html

Basically the clearinghouse-type marketing company that sends mass emails on behalf of some very big-name companies has had a breach, and thousands of customer email addresses and names are now in unknown hands. Affected companies include US/Barclays Mastercard, Marriott, Hilton, Westin, Citibank, Best Buy, JPMC/Chase, and Kroger, with more being reported every few hours. Most companies have sent emails out to customers (but about half of mine ended up in my Spam folder).


Because the client companies hired the marketing company to send marketing email, I feel pretty comfortable (not 100% of course!) with the statement that no financial data or SSN's have been lost, but it's still a little troubling to know that email addresses, names and (presumably) something to identify which customer belongs to which company has gone where it should not be. I'd imagine there will be some very sophisticated phishing attacks in the very near future. These details of who does business with whom makes it a lot easier to target potential victims, and more "worth it" for bad guys to be aggressive and sophisticated. So here are some tips to help keep the bad guys out of your electronic life:

-Use strong passwords, the longer the better, and consider pass phrases (like the first letter of each word in a sentence that is easy for you to remember). Use upper and lower case in your passwords as well as numbers and special characters.

-Don't use your email password for other things; remember these guys now have your email address. If they can hack your password, they'll try it on random accounts. They already KNOW you have a Barclays account so that is where they are going first. Don't give them everything all at once.

-Consider changing the email address associated with your Barclays account (and Hilton, Marriott, etc, anyone who got breached) so that notifications of password reset requests go to a new account, instead of somewhere that the Bad Guys might have hacked into

-Don't trust links in email. If you get an email from your bank, open your browser and manually enter in the bank URL; don't get there by the link because it's pretty easy for a bad guy to forge an email that looks almost identical to the bank email AND a fake URL that looks an awful lot like your bank's URL. Barclays is not going to send you an "account alert" with a link where you're supposed to enter in your SSN. No matter how much it looks like a Barclays email, assume it's not till you can prove otherwise.

-Be suspicious of EVERY attachment, not just those that come from unknown sources. It is very easy to forge the Sent From address on an email, and these guys now have a massive number of email addresses to work with. Some of them will belong to people you know, and it's just a matter of luck if you get one that looks like it came from a trusted source. If your Aunt Jane never sends powerpoints in email, don't open the powerpoint that says it came from "Aunt Jane".

-Keep your antivirus up to date, and use URL checkers (built into many modern browsers) that can evaluate a URL and tell you if it appears to come from who it says it came from

-Learn how to do a "DNS Lookup" or "WhoIs" on any one of dozens of hosting provider websites (I use nic.com and directnic.com). Just access the site's WhoIs tool (also called a registrant lookup), type in the domain name in question, and it will tell you who owns the domain. If your suspicious email says it came from Barclays, and has BarclaysBank as part of (but not all of) its .com name, and you run it through WhoIS, if it comes back to some guy in a far-away country, you now know without a doubt it's not from your bank

-And above all, don't panic. People have been stealing email addresses for years; it's how they get the addresses to put on the Spam (both as sender and recipient). This breach means you will probably get a lot more spam, and some of it will be quite sophisticated; they will be looking for the easy targets, people they can trick easily, but just because they flood you with fake mastercard mail doesn't mean you have to do anything with it. Just delete it and you'll be fine.
dcpatti is offline