Earlier this week, PogoWasRight.org was contacted by an individual who reported that after attending BlackHat 2009, he recently started receiving spam at a unique e-mail address he had created specifically for Breach Security. After receiving spam, he contacted them to change the e-mail address to another unique e-mail address, but within days, started getting spam at that address, too. The spam started on or about January 27.
PogoWasRight.org contacted Breach Security to inquire about the complaint. In response, Breach Security CFO Craig Kussman wrote:
Breach Security has reviewed its internal processes with regard to handling of the email addresses gathered at BlackHat 2009. These addresses were uploaded directly into two well known marketing industry ASP sites under our private accounts. Both of these ASP have industry standard security and strong privacy policies in place.
Upon inquiry to both of these vendor ASPs regarding this report, one of them has indicated that it may have been subject to a data breach and they have an on-going internal investigation into the possible event. They have also contacted the FBI for further assistance.
Breach Security’s entire response can be found here.
In a subsequent communication, a spokesperson for Breach Security indicated that the unnamed vendor “became aware of the issue shortly before we contacted them” (in response to PogoWasRight.org’s inquiry) and that Breach Security uploaded only contact names and e-mail addresses to the vendor.
Thanks to Breach Security for their prompt and courteous response. Now we’ll wait to see if either Breach Security or the unnamed vendor issues any statement either confirming the breach or disconfirming it.
Ah yes, the old unique email address trick.
I also do this and have found this method invaluable in detecting email leaks.
In recent weeks I have received spam to an email address I used for a popular travel discusson website and to the address I use for a social networking site (not Facebook).
The owners of these compromised sites (usually) initially deny that they had an issue but so far it has turned out that I have been correct on every occasion.