Last month I reported that both Play.com and Maine’s Dept. of Conservation had been hit by breaches at their third-party vendors. Game Show Network (GSN) customers were also notified of a breach at a third-party vendor, but I didn’t report it at the time because I was trying to get confirmation from the company whether the breach was due to a compromise involving ExactTarget – the same vendor that may have been involved in a TripAdvisor.com breach that was also reported recently. Although original media reports suggested that the TripAdvisor.com breach might have been due to an SQL injection, some other reports suggest otherwise. [UPDATE: On April 5, TripAdvisor.com notified customers that they had been affected by the Epsilon breach.]
A GSN spokesperson tells DataBreaches.net:
Yes, unauthorized access occurred to our email lists that led to fraudulent emails being sent to many of our players. We’re taking this matter very seriously and we are working with law enforcement to investigate the matter. We have identified the source and scope of the compromise and have been in touch with our players who clicked on the link in the fraudulent email. It’s important to note that no email lists were stolen, nor was any of our players’ personal information (credit card information, addresses, passwords, etc.) accessed or stolen. While opening the email message will not damage a recipient’s computer, we advised those players that if they entered personal information, made a purchase, or downloaded a file, they should contact their credit card company and run a virus scan as a safety precaution.
The spokesperson would not say whether the breach was at ExactTarget and they declined to indicate how many of their customers were affected. Other evidence, however, in the form of email headers sent to DataBreaches.net and posted to online forums suggest that the GSN breach was due to a breach at ExactTarget.
ExactTarget did not respond to requests for a statement. Nor did ProFlowers.com, another client of theirs who had at least one customer receive a phishing attempt sent to a unique email address he only used for their mailing list. If ExactTarget was breached, it is somewhat surprising that we have not seen a lot of press releases from their clients who needed to notify customers.
Elsewhere, Fahmida Y. Rashid of eWeek reported:
Three recent data breaches at third-party Web service providers highlight the importance of organizations making sure customer data outside of the company is protected.
[…]
There have been other data breaches at third-party providers recently. Play.com, an online seller of CDs, DVDs, books and apparel, notified customers on March 23 that its third-party marketing company’s database had been breached. CEO John Perkins told customers via Play.com’s Facebook page that the email marketing company is Silverpop, which was attacked a few months ago.
[…]
The agency claims none of the Play.com email addresses was affected by that episode, according to Perkins. It is not clear at this time whether email addresses and names were stolen during that attack, or if attackers got into Silverpop again more recently.
With respect to that last point, Tom Espiner of ZDNet writes:
Silverpop told ZDNet UK on Tuesday that it had suffered a breach in the autumn of 2010, but did not believe that this was affecting Play.com customers.
“While we are reviewing all possibilities, it’s difficult for us to directly connect the 2010 incident with specific spam messages sent this year,” said Silverpop spokeswoman Stacy Kirk.
Rashid also reported:
Users on Game Show Network forums reported receiving similar fake Adobe Acrobat/Reader spam on March 20. An examination of the email headers revealed the messages were being sent from GSN’s marketing company, ExactTarget. TripAdvisor has been an ExactTarget client since 2008, according to the company’s previous announcements.
Brian Krebs originally broke the story about these spear phishing attacks back in November, and provided an update in December.
Are the recent rash of breaches the results of November attacks, or do they represent a newer rash of attacks as cybercriminals recognize how easy it may be to gain access to huge databases of email addresses?
And of course, now there’s the Epsilon breach.
With so many obvious compromises, isn’t it time for companies to be a bit more transparent about whether their customers’ email addresses have been acquired, and if so, who was the vendor involved?
At times like these, I’m really glad I use disposable or self-expiring email addresses when I sign up for some things.
CORRECTION OF APRIL 6: It seems I had it right the first time in associating TripAdvisor.com with ExactTarget, although it’s still unknown whether TripAdvisor.com’s March 24th breach disclosure was related to a SQL injection of their database or a breach involving a third party.