Earlier today, vx-underground reported that a hoax email was being sent from Equifax with the subject line “Free Pompompurin.”
An unknown individual has compromised the email system for Equifax. They have sent out an email with the subject matter as “Free Pompompurin”.
Image 1. email extended header information
Image 2. email itself pic.twitter.com/mlrO99uVdl— vx-underground (@vxunderground) April 3, 2023
As it turns out, the “unknown individual” is not totally unknown to DataBreaches.
On Saturday, DataBreaches received a slightly different version of the email vx-underground posted. The “hr.” subdomain triggered a few intact neurons because I had seen hoax emails with the “hr.” subdomain in February. At the time, I had received a number of emails from various addresses, most of which had “hr.” in the senders’ addresses. Two of the February emails contained usernames in the body of the messages that suggested a BreachForums connection. One name I recognized, but the other, I didn’t.
After getting about half a dozen emails, I contacted Pompompurin to ask him if he had any idea why the unrecognized forum user would be sending me somewhat angry or confusing emails. After looking at one header, Pom reminded me that HR.com had been hacked and more than 2 million records had been put up for sale on the forum last August.
DataBreaches found the August sales listing by “Dior” and looked at Dior’s history of username changes that included “RichTheKid,” “Dior,” “cop,” and “023.” That’s when DataBreaches realized that DataBreaches did have some history with that individual that was not always pleasant. But DataBreaches still needed to determine whether someone was misusing the hacked HR.com data or whether HR.com was being hacked again. When DataBreaches sent the forum user a private message asking if we had them to thank for the hoax emails, their response was not exactly conducive to further questions.
It was Pom who provided DataBreaches with a helpful answer: the user had just been bragging about accessing HR.com again in BreachForum’s shoutbox, saying, in part:
i got it again last night, still got access rn
all the parent corps are still active 256
HR.com was notified
DataBreaches emailed HR.com on February 14. Noting that they had been hacked and data from them sold on BreachForums in August 2022, DataBreaches asked them:
What did HR.com do in response to the hack? Anything?
I got hit with a slew of fake emails this week. The headers showed the following domains in their paths:
hr.unit4.com
hr.nortonlifelock.com
hr.skillsoft.com
hr.mhs.com
go.workhuman.com
betterhiring.modernhire.com
connect.hr.com
DataBreaches informed them that the individual who had sold the data in August was bragging on the forum that they were still able to access HR.com and ended the email with:
So… it appears you have not locked the hacker out.
DataBreaches requested a reply but HR.com never replied.
Now, more than a month later, emails were being sent out again with “hr.” in the sender’s information. But this time, the sender was also in email with DataBreaches, commenting on the high click rate (28%) one such hoax mail sent from “hr.even.com” had gotten in the first 10 minutes after the email was sent out.
Now what?
DataBreaches would not be surprised if Equifax gets in touch with HR.com at some point. DataBreaches has no idea what HR.com will tell Equifax as an explanation or excuse, but the person responsible for the hoax, claims that they have hacked HR.com three times in less than a year now.
Each time, they tell DataBreaches, HR.com locked them out. But each time, they got admin perms and were back in.
“They have patched stuff every-time, but they can’t keep me out,” they tell DataBreaches.
This person may have just been trolling, but given the potential for misuse and considering the click rates the hoax emails were getting, what should HR.com be doing at this point?
And what, if anything, can the Federal Trade Commission do? HR.com appears to be headquartered in Ontario, but does business in the U.S. it seems. HR.com’s privacy policy includes the following:
6. How HR.com protects your personal information
For all our transactions, we employ reasonable and current Internet security methods and technologies. Where appropriate, we password protect, use SSL encryption techniques for credit card information and install firewalls. We strive to protect you. We encourage our participating service providers to adopt and honor their own consumer privacy policies. For all our efforts to safeguard your privacy, no system can be guaranteed. We cannot ensure or warrant the security of any information that you transmit to us, or that we transmit to you, or guarantee that it will be free from unauthorized access by third parties. Once we receive your information, we use reasonable efforts to ensure its security on our systems.
Is that enough to immunize them from any liability?