ALERT: Potential Agilebits email purchase email address leak?
I use individually unique email addresses for online transactions. About 7 hours ago I received a general spam message addressed to the account that was used for my purchase of 1Password from Agilebits via Paypal. This has me incredibly alarmed.
This is not a question of "if someone was hacked/data was leaked" but rather who was hacked/who's data leaked? I am reasonably confident it was not me or my email system (I just did an audit, of course), which essentially leaves Agilebits and Paypal. This is not the only email I've used for this type of transaction with Paypal in the same general time period (+/- a few months), and I have not received spam at any of the other PP locations, thus I reason it is probable that Agilebits is, unfortunately, the source of the leak.
Note that the only item necessarily revealed is the one-time email address, however, in situations like this it's obviously best for companies to do a full security audit and public release of results. I'm posting here to see if anyone else noticed a similar problem or is aware of any data leaks with regards to Agilebits?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
I've been asked to look into this as I handle pentesting and 3rd party audits. Could you please contact us via support@agilebits.com, mention this forum post, and tell them Julie sent you? You will need to include the one-time email address you used in your support email.
It's important to note that while email addresses are considered to be private, they are not considered to be secret in the same way that passwords, credit cards, etc. are considered to be secret. Once I have your one-time email address and can determine where we may have stored it, I will start looking into various ways in which it may have been disclosed.
0 -
done!
0 -
@bruinbits: I'm not seeing anything in our system from this address, so if you can post the Support ID here we'll make sure Julie sees it as soon as possible.
Anecdotally, the same thing happened to me in the past with an email address which was composed of a numerical sequence. I actually never gave it out to anyone, but it became clear over time that spammers were just trying every possible address over time — the firehose approach.
So while I won't rule out the possibility that email address could theoretically be gotten from PayPal or AgileBits (though we absolutely don't sell any customer information), it's important to keep in mind that there are plenty of other ways for an email address to get out — including guessing.
I'm not sure that we'll ever know for certain what happened in this case, but I have no doubt that Julie will investigate thoroughly to determine if someone has gained access to email addresses in our system. Thanks for bringing this to our attention. You're in good hands. :)
0 -
@bruinbits, do you use gmail aliases for this or do you admin your own mail accounts? I do both, depending on the need for security, and if it was gmail, it likely was a result of the firehose approach mentioned by @brenty above because I've been in the same boat with gmail aliases in the past. if they realize you're smart enough to use aliases, they'll try anything they can to find all in use. it's nothing for a program to run through tens of thousands of combinations in hopes of finding two or three legit combos that get an unsub request in the return. though based on your initial post, I assume you already know that much (or spent some of the previous 7 hours researching what you should suggest agilebits should do next ;) ).
0 -
Hi there,
Just wanted to add a quick update here: Julie is currently investigating the issue, and we’ll continue the conversation via email. :)
ref: DVD-44547-282
0 -
Hi all! I'm late back to my own party here but I haven't forgotten about things. I finally got Julie what she needs to continue the investigation internally.
All reasonable points made above, however:
1. No, this isn't @gmail, this is pure self-admined domain.
2. This isn't a randomized address. I have a reasonably sophisticated set of categorizing filters on my end to put firehose emails into a kind of grayspam folder. The address used in this case is both (a) not likely to be hit by randomize attacks - it's too long and (b) doesn't look anything like the randomized stuff I get all the time. :)I'm not particularly concerned, but thought I'd bring it up. I also realized that the arbiter of the payment transaction might be at fault here, so that's another potential explanation (however I've used that arbiter for plenty of transactions and don't have consistent spam from any of the other unique addresses a hacker would have if that was the source).
0 -
Thanks for the additional bits of info, @bruinbits. :)
Ben
0