A Diapers.com customer kindly sent me a copy of the e-mail he received from them today:
From: Diapers.com <[email protected]>
Date: Sun, Nov 10, 2013 at 12:09 PM
Subject: An Important Message Regarding Your Account
To: [redacted]Hello [redacted]
This is an important message from Diapers.com
At Diapers.com we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Diapers.com-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your Diapers.com password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your Diapers account.
To regain access to your Diapers customer account:
1. Go to Diapers.com and click the “Your Account” link at the top of our
website.2. Click the link that says “Forgot your password?”
3. Follow the instructions to set a new password for your account.
Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.
If you have any additional questions or concerns, please feel free to contact our friendly customer care team at 1.800.342.7377 or
[email protected]Sincerely,
CustomerCareTeam
Diapers.com, a Familyhood site
Okay, that is really impressive. They found a data dump online and ran it against their own customer database of email addresses and passwords and reset any passwords if they found a match? If so, wow.
But were they really matching address-password sets or just email addresses? As my correspondent points out, it may be the latter:
What’s strange is that I just signed up as a customer about two weeks ago and I use a unique password for each website. Something seems a little strange. I have contacted their customer care, but have not heard anything back so far.
I’ll update this post if he gets back to me with additional information from them. In either event, though, kudos to Diapers.com for looking out for customer privacy and security.
Update: In light of the comments posted by consumers, below, I may have been too quick to praise diapers.com or to accept their statement that the breach was not related to them in some way. I have sent an inquiry to diapers.com and soap.com (the main press address for quisdi.com) to ask for specifics and to inquire whether quisdi.com was hacked. If/when I get a response, I will post it.
Update 2: Site visitors may wish to read Dan Goodin’s article on Diapers.com jumping into/off of the Adobe breach on Ars Technica. If you are uncertain whether your data were involved in the Adobe breach, I had posted a link over the weekend to a site where you can test your email address. See that post.
Update 3: Annoyingly, Diapers.com, Soap.com, and Quisdi.com have NOT responded to my inquiries about whether they really matched passwords. It turns out that Facebook is also notifying their users but has actually confirmed that they are matching passwords. An employee posted the following on Brian Kreb’s site:
I work at Facebook on the security team that helped protect the accounts affected by the Adobe breach. Brian’s comment above is essentially spot on. We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.
Like Brian’s story indicates, we’re proactive about finding sources of compromised passwords on the Internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.
I got the same email. I’ve only used diapers.com once, and only signed up about a month or so ago. I changed all of my email passwords just in case. Maybe this has something to do with the hacked Adobe email list. I used the same email address for both.
I wish that they would have included the data dump site in the email warning so we can at least verify if the email is somewhat accurate.
I got the same email from Diapers.com and find it highly abnormal. Most corporate IT security teams have a hard enough time fending off malicious vectors. “email and password sets” are not something you can find with a google search. If Diapers.com wants me to believe they have a bunch of highly paid IT employees scouring the Dark Net shopping for (expensive) credential databases, they must think I am still in my diapers.
They probably got hacked and are using this convoluted PR stunt to get people to reset their passwords. Not buying from them again.
Goodman, see my note below. “Email address and password sets” is readily searchable via Google. Several examples over the past few years likely indicate Diapers.com is paying for a third party service.
(admin – thank you for fixing my botched html tag!)
No problem. I try not to edit comments for content, but some editing is occasionally necessary as in your case. 🙂
I asked them for the site – this is what they sent me today:
(btw, yoyo.com is part of that whole web fam)
Hi Jane,
Thank you for reaching out to us today at YOYO.com. I am sorry that you had to contact us under these circumstances. I can completely understand your concern. We certainly want you to feel secure when shopping online. Your security and privacy are a number one concern to us. Unfortunately, our Tactical Operations Team did not provide customer care with the location of the list to give out to customers. I’m sure you can understand the repercussions that could take place if we give that information out to everyone. You would also have access to everyone else’s information.
Again, our site, YOYO.com was not compromised. Since there is a possibility that you use your email address and password on other sites we distributed the email to you. We also are suggesting that if you use this password together with this email address on other sites, that you may want to consider changing it on those sites as well. When we obtain additional information that we can share with the affected parties, we will absolutely do so.
I cannot apologize enough about this information being shared on the internet. We take these matters seriously and we want to keep your information as safe as possible. I understand this is a huge inconvenience but we wanted to be proactive and ensure you are informed and protected.
Please feel free to contact us again in the future should you need additional assistance. We can be reached anytime, 24 hours a day, 7 days a week at 1-866-YOYO-123 (1-866-969-6123) or via email at [email protected].
Enjoy the rest of your day!
Chris E.
Customer Care Team
Yoyo.com, a Familyhood site
Thanks for sharing their response. So they wouldn’t tell you even if they could tell you? I see….
“We believe”? That’s some vague ass shit. Thanks for absolutely nothing diapers.com.
I got the matching email from wag.com, and my wife got one from diapers.com (both part of the Quidsi sub-empire of Amazon). However, both of us use LastPass and have confirmed that the passwords we have for the sites are LastPass-generated passwords – long, near gibberish, and virtually certain to not be used anywhere else. So the claim in the email that the list is “not Diapers.com related” is very, very smelly.
I have just this to say. A quick search about this indicated that this indeed may have had to do with the Adobe thing. I wasn’t previously aware of the Adobe SNAFU. I went to a story on the guardian.com and they had a link to an app one of their people had written to allow you to check and see if your email address was on the Adobe data dump. sure enough…the same email that Diapers.com sent me the note about was on that list. None of the rest of the emails we have came up with a hit. I have spent a lifetime grand total of maybe $100-150 with Diapers.com. I’ve spent THOUSANDS with Adobe. Adobe hasn’t said squat which is.. well… lets just say I’ve found Adobe to be seriously lacking in the CS dept. Interestingly, we had a couple “issues” arise with being compromised in the last 10 days. I found that on my wife’s main home computer she’d been hit with a keylogger. There was a little file I located while cleaning things up prior to implementing better security around here…the file had listed certain sites in an exceptions list…one of them was Adobe.com… another was a bank….the same one we had an issue with. Unless it’s proven otherwise I say hats off to Diapers….as a matter of fact they have so impressed me with this that I’m going to start using them more….uh… with my new password generator PW’s 🙂
This email is outrageous!!! I also just got it too… So where is this data dump? Where did they find it? Who published it? They just send an email saying they discovered my personal data is displayed for everyone online to see but they won’t say who or where? But not to worry – they reset my password on a site used for reordering diapers and baby food so all is ok now… Am I the only one who finds this extremely odd and frustrating?
If you read this story (From The Guardian) they have a link in the body of the story to an application that will let you know if your email address was on the dumped Adobe list which may or may not (Diapers didn’t make that clear) be the list referred to in the email we got. YOu can decide for yourself if you want to try the app and check. http://www.theguardian.com/technology/2013/nov/07/adobe-password-leak-can-check
Nathan,
I think you misunderstand the email from Diapers.com. The statement the list was not Diapers.com related means they found your email address with a random password (which may or may not match the one you use on Diapers.com). Because they know some people reuse passwords on multiple sites, they reset all passwords of email addresses they found on this list.
Technically, the email doesn’t even originate with Diapers.com, but likely a security service they employ. If you check this link from Amazon’s forum, in 2011 they sent a notice to some customers that matches almost perfectly.
Natalie,
I also wish I could see the data dump in question. Understandable, though, why Diapers.com might not want to be in the press for broadly distributing or linking a list of email addresses and passwords. It would be nice if they sent only your record (email + password), but I suppose: 1) the data management might actually be time consuming and, 2) in the likely event the notice is actually generated by a security service, disclosing the exact details costs them business as the consumer pays nothing for their output.
They also got themselves (75.98.67.143 / smtp1.diapers.com) added to the “b.barracudacentral.org” RBL on the same day they sent out all these emails, which meant after receiving that email, some could not reset their passwords. It is unclear whether they were added to the RBL due to one of these emails, or if they were otherwise used to send spam (which could be a hint towards a wider breach).
I got this mail from Soap.com, also a sister site to Diapers.com. Moreover, my address was indeed one of the ones that was leaked from Adobe according to LastPass. So, this adds to the guess that Quidsi has reset all the addresses that was in the Adobe leak.
I got this email from Soap.com. They didn’t match email/password sets, only emails. I use several different “go-to” passwords on different sites, and so I emailed them back asking them to either send me a link to the data dump or tell me what password was listed for my email, and they refused to do either one. But my email/password set was indeed part of the Adobe leak, so that may be it.
I also asked them to clarify as I use unique passwords for each site I have an account on. They refused. To me it makes them look more like they were compromised and they just don’t want to admit it.
If they were concerned with our well being, I would expect them to be more forthcoming.
Got one from Soap.com, also on the Adobe breach. It’s important to note that the adobe breach only included password hashes, and there were 150 million accounts listed. Your password was probably not in cleartext, so you have some time to clear up your passwords elsewhere. Your password hint was stored in clear text, meaning it is on that list. If your password was less than 10 characters long, it will be easy to decrypt along with the rest of the passwords on the list. If someone is looking for you specifically, they can get it in a matter of minutes. The passwords were MD5 hashes and they are very easy to break.