You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Just wondered if anyone else is getting targeted spam emails with the email address and password they used to register for a Superstar Components account?
I use a system that allows me to register a unique email address and password for each site I register for and I've just started getting spam messages to that unique email address and then earlier today I got a message that included the email address and password that I registered with SSC.
Bit too much of a coincidence, but I thought I'd see if there have been any others with a similar problem...
I've had nothing so far.
There's a bigger problem there.
Passwords should be stored with one-way encryption. Even with a breach, it shouldn't be possible to extract passwords unless they've been held incorrectly.
I also issue unique addresses to organisations, incl superstar components, and I havent seen any unexpected activity at that address.
I use a system that allows me to register a unique email address and password for each site I register for
Well, if it ain't superstar theres only one other source for your data...
Plus one way encryption...
Yep, slightly conscious of that hence the question. I'm running good av and anti-malware protection. In terms of a key logger, the last order I placed was in Apr 2015 so if that's the source of a breach they have sat on the data for 3 1/2 years.
Thanks for all the replies so far, I'll continue to monitor this.
I've been receiving these emails too - unique password to superstar components
edit - this leak isn't on HIBP
Tom
Even with a breach, it shouldn’t be possible to extract passwords unless they’ve been held incorrectly.
Given enough time…
<span>just had look on hibp and the email address I used comes up and it seems it appears on a list as part of something called the ‘Onliner spambot’ incident. </span>
The incident appears to be the discovery of a huge list of email addresses and some associated passwords.
Is it possible that someone has hacked the SSC site and the resultant data has been collected and added to the list above
Tom, interesting to hear you’ve experienced this as well, has it just started recently?
I get loads from a lot of unique addressees. It's amazing how many though it's more likely the addresses have been aquired via compromised mail servers between source and destination. I just block them on my mail server and use a new one.
However inclusion of password is more concerning. In what way is this occurring? Free text password just in the spam?
Deadkenny - In the subject and the body of the email ... your password is *******
Davey - a month or 6 weeks maybe?
your password is *******
$2000 or I post your porn shots to all your email contacts?
Yep, the password is in plain text in the email and as Footflaps suggests it's send me a payment on Bitcoin and I won't send the webcam videos to all your contacts - I don't have a webcam, I don't keep my contacts on the PC and the password is one that I've used on the SSC site - so no worries there
I was thinking the other day that given the blockchain is public it ought to be fairly simple to decipher it to see how many people actually cough up for the porn blackmail emails (as the email contains the target address). I get loads of them at the moment, seems to be the scam de jour.
Hey, that's a bit more technical than my abilities... but yep, I've just looked at the 2 recent emails to the SSC registered email address and they both have the same bitcoin wallet for payment.
As I'd commented above, I'm not concerned about the claims in the spam email, aside from the factors mentioned above the spam email states they have hacked the email account - there isn't even an email account for the email address and password they're using.
I did email SSC when I first started getting the spam emails (but no password) and they stated they hadn't been compromised and the passwords are handled by the following means:
"salt and hash their password and store the resulting data" - is this secure?
I did email SSC when I first started getting the spam emails (but no password) and they stated they [s]hadn’t been[/s] aren't aware they have been compromised
FTFY/Them
“salt and hash their password and store the resulting data” – is this secure?
Given enough time…
They are following best practice… but all that does is make it (much) slower to crack the password… which is one of the reasons any password that pops up in one of these spam/blackmail accounts will be an old one. Old passwords are bad passwords… it's your job to kill them. It's also why password only security is poor security.
“salt and hash their password and store the resulting data” – is this secure?
That's the basic technique. A proper hash isn't reversible encryption and isn't storing the password, it's a value that can be generated using the password to confirm the password is correct.
The security though depends on the algorithm used. The salt adds a randomness to it which makes dictionary attacks difficult.
But, if you've used the same email and password on another site there's a chance it's come from a hack there.
Anyway, just re-reading this bit...
I use a system that allows me to register a unique email address and password for each site I register for
Are you using a bit of software or a site to do this? Or do you mean you have a system you've created yourself, such as a wildcard domain name so you just make up an email address and random password, note them down somewhere?
Is the plain-text password in the spam definitely the password you've used?
Could you not be the victim of a phising attack and you've entered that email and password into a site you thought was SSC?
I use a system that allows me to register a unique email address and password for each site I register for
What is this system, sounds useful? is it automated?
Also looking at stuff about "Onliner Spambot" it seems the majority of the spam list (711 million addresses) are just emails. There are some passwords but apparently they're from older hacks.
Actually, thinking about it, many years ago I was getting spam to my SSC address. I simply changed the address and blocked the spammed address. Haven't had any more since. Though whether they've been trying to send spam with my password to the old address I wouldn't know as the mails are blocked.
Based on the email address / password they are sending to, I believe this is likely to be an older hack - I've only ever ordered from SSC a couple of times, nothing in the last 3/4 years
I've been getting these mails too. It's [I]possible[/I] it's from SSC, as before I was woke to internet security I used to use generate passwords by using the same "base" password and then ending it with something specific to the site i.e. for SSC I might've ended it with an "s" (which is what is being sent to me in this email). However I updated the password in late 2015 to something totally unique and obviously there's no way to check old passwords so I couldn't say for sure.
Thanks everyone - some great replies. I think I'll have to park this incident as 'un-explained'. The email and password I got in the spam email was definitely the one I used for SSC and nowhere else.
The system I use is based on being able to use any alias before the @ symbol so for SSC I register with davessc@<my domain>. This has helped me track previous suspicious activity with other companies and then block future spam to the unique address.
The 'old password/old hack' theory chimes as well - the last order I placed with SSC was 2015.
Davey, the only address to which I have been sent emails quoting an old password in text (plus porn/bitcoin threats) was the one I used for LinkedIn who had a reported major hack. It was not an address used for ssc though.
Cheers Craig, that's handy to know.
That's a great Gmail tip, I din't know that
Not just Gmail - it's a standard from RFC5233 I think. Some lazy website developers don't accept the + in their email address validation code, though. You can (in theory) chain them for example : orange+shopping+amazon@domain.com for even more granular processing. When you forget your password to websites, be sure you can remember what actual email address you used to sign up, though 🙂
@Davey, with your multiple emails/domain idea, what email client do you use to manage the emails?
Not just Gmail – it’s a standard from RFC5233 I think
It depends on sub-addressing support from the email provider. Many of the major ones support it in some form, though the separator may vary. Gmail and Outlook use the '+' separator.
The problem though is spammers just have to strip the sub-address part and have the main email address, plus as said some web forms don't accept '+' in their validation rules (though the regular expressions for email validation can get ridiculous and allowing everything possible by the standards may accept things your application or even mail servers may not handle. https://www.regular-expressions.info/email.html).
Alternately, get a domain name (useful anyway to be able to move providers) and forward mails for anything @domain to your email provider, or if they allow configuring a domain, do that. You might get spam to randomly generated addresses at your domain, though some email providers/servers may let you blacklist or whitelist addresses.
Superstar suck anyway.
It depends on sub-addressing support from the email provider
You might be right, I haven't looked at this in a while, but I believe any delivery should either ignore the text after the +. or act on the information (e.g. put it in a folder). My delivery server does just that sorts, but I think that any standards compliant server should a minima just deliver it to the address to the left of the +.
(But then IIRC any standards compliant server should not differentiate firstname.lastname from firstnamelastname but many do or at least did when I cared enough about this stuff 🙂 ...)
The domain part of an email address (the bit after the @ symbol, gmail.com or whatever) may be processed by multiple servers, but the only thing that cares about the name part before the @ is the final destination server which you collect your email from.
Standards or no, it's down to that individual server to do what it likes with dots, plus signs and so forth. Whether dave.smith is synonymous with davesmith or dave.smith+stw etc is dependent on whatever system / policy that particular mail host has implemented.
Well, I've just had one of these emails now, but isn't SSC. Very old (and shit) password, but the email address is one I used a very long time ago (15+ years!), on a different domain I rarely use.
Usual stuff about bitcoin, hacked your PC etc.
So someone's created a spambot that uses the passwords from a hacked account list as an extra element to the usual phishing emails. It's worrying that some people may think it's a genuine hack of their PC because the password may be a valid one they've used, and thus will pay up.
To answer the original question - yes.
I use unique accounts, and the Superstar one was compromised years ago. If yours has only just started then I'd guess they've been raided multiple times, or you've only just started using them.
I did tell them, they ignored me.
Mandatory notification for data breaches now though, but that requires a level of competence that Superstar clearly don't have.
Another place where compromises can happen is public WiFi without WPA2 encryption, unless you use a VPN.
Apart from using the + in gmail addresses, you can also insert of remove dots anywhere before the @ - so for example fred.bloggs@gmail.com could use fr.ed.bl.og.gs@gmail.com or fredbloggs@gmail.com. That gets round using different + variants to contact the vendor, provided you use the right dots when logging in, anything works in emails.
If you do have multiple 'from' addresses, Mozilla Thunderbird allows you to set up as many 'identities' as you like.