Four days ago, DataBreaches.net was contacted by a former customer of Click2Mail who reported their suspicion that Click2Mail may have been hacked, sprung a leak, or shared their data with some firm that hadn’t protected it properly. Given the size and scope of Click2Mail’s operations, including the fact that it is a recognized affiliate direct mail specialist of the United States Postal Service and that it also advertises its service as HIPAA-compliant, any data security incident involving Click2Mail seems potentially serious.
Asked why they thought the Arlington, Virginia-headquartered Click2Mail had had a breach or leak, the former customer informed DataBreaches.net that they had used a unique/tagged email address with that service:
I was originally a customer of Postful and several years ago they were bought out by Click2Mail. So I continued to use the same unique address that I created for Postful when using Click2Mail. Click2Mail later put their site on CloudFlare, at which point I could no longer use them.
[…]
Anyway, after a long time of not using Click2Mail, on Oct. 2 the unique email address known only to Postful-Click2Mail received a message. The /From:/ field contained a yahoo.com address and the city of my postal address was in the subject line (with spaces dropped). The body of the message was:
“Hola <my first name>, do you live in <my city with spaces removed>?” Judging from the message, at a minimum the leak was names, email addresses, and postal addresses.
DataBreaches.net reached out to Click2Mail but only received an autoresponse from Support on October 4. They still have not responded to the inquiry. DataBreaches.net also reached out to Click2Mail through their Twitter account via DM, but got no response there, either.
Would third time be the charm? DataBreaches.net initiated a chat session on Click2Mail’s site earlier today. After getting transferred from one support agent to a support agent named Antoinette Collins, DataBreaches.net repeated a summary of the issue and asked for a response. Ms Collins replied:
I apologize for the inconvenience we are aware of the possible issue and are working on it. All customers that have been affected will be contacted.
So they were already aware that customers have been affected by something, it seems.
But when I asked, “Are you confirming that there was/is a leak or breach?,” Ms. Collins wrote, “No I am not.”
They have not posted anything on their site yet and customers have not been notified of anything, either.
I gave Ms Collins this site’s contact info and indicated that I would like to hear from Security or the Press/Media contact, but I am not holding my breath on that.
To be clear: although this has the potential to be a big incident in terms of numbers, it’s not yet clear whether this was a hack or a leak, whether it was at Click2Mail or elsewhere, and who is misusing the data or for what purpose. The “Hola” message the former customer received, however, makes it appear likely that data have probably been acquired by those who won’t hesitate to use it for their own purposes. But how did they acquire the data and what are they doing with it?
DataBreaches.net is attempting to get more details on the email the former customer received, and will update this post as more information becomes available. If you received an email like the one described in this post, please contact this site via email to breaches[at]protonmail[dot]ch. This is a developing story…..