Tuesday, 12 August 2014

Gourmet Society data leak

I use a unique email address when signing up for anything on the Internet. I have a whole domain I use for this.

So when I signed up for a Gourmet Society discount card (which is pretty good for Café Rouge in Wokingham) I used a specific email address. I even managed to mistype it, using gormetcard@... instead of gourmetcard@...

The idea is simple - if the email address leaks either by being sold for marketing, or by some sort of data leak, the source of the leak is obvious.

In this instance the leak is quite serious. I received a phishing email to the gormetcard email address claiming to be from paypal asking for my card details, but using an x.co redirect which goes via https on localcampervan.com (which have presumably been compromised themselves) which goes to http on paypal-customerfeedback.com.cgi.bin.webscr.cmd.login.submit.c6xp6cfh52b52myc6xp6cfh52b52myc6xp80r.newdaywellbeing.com which is an impressive hostname designed to confuse people.

Sadly the Gourmet Society have not replied to my email on this. Very disappointing. Time for an ICO report I feel.

Update: The Gourmet Society have finally replied - they are looking in to it.


  1. I've been using a similar system for more than a decade now, and this is sadly very common. When a company goes out of business, it is almost guaranteed to happen. I suspect because as part of the liquidation process, everything of value is sold off, including user databases. I've also seen it happen regularly when companies change ownership (without getting in financial difficulties first).

    I just set the compromised address to be rejected, and in the rare case that I'm still interesting in the account, I change the email address. When the new address also gets targeted spam, it shows they're either getting my data repeatedly stolen, or sell updates of their database to spammers ;)

  2. I don't know how I manage it, but I get almost no spam. I'm conservative in what I sign up for online, but I do sign up for things.

  3. I've done this occasionally; the most irritating was Verio, with whom I registered a domain a long time ago. Thanks to Whois abuse, I *still* get spam attempts to verio@... over a decade later...

    At some point soon I plan to self-host the domain again, so I can reject certain senders on the SMTP delivery attempt. Blackholing everything from hetzner.de and plusserver.de should help greatly; from their policy of not accepting spam reports, I presume they're some sort of pink contract outfit.

  4. I, too, have been doing this for years; the frequency of address leaks is not high IME, but is disappointing. Two in particular stand out: (a) Computer Weekly (who really should know better), and (b) Alliance & Leicester / Santander (the leak occurred recently, long after the Santander takeover, but it might have been an old A&L machine being scrapped etc.)

    I've had little joy when pointing out to people that they have leaked my details: e.g. Avid tried to insist that it wasn't them that had leaked my unique-to-them address, but it must have been a dictionary attack, and it was my fault for using a guessable word for the local-part (when did you ever hear of a dictionary attack that tried only one address?)

    1. I had an issue early on with my version of this scheme where a small company was very concerned to see that their name appeared in my email address. So I switched to reversing the name. Then I had the Santander issue and realised I couldn't be sure how old the affected addresses were, so I added a monthly code. So now my spam-trap addresses are a little more unwieldy to type (and certainly to read over the phone on the odd occasion when that's needed) but I can be sure they aren't a dictionary attack and I have a known earliest date when they were compromised.

      The worst place for email compromises is anything connected with major MMOs like World of Warcraft. Since many players will use the same address for their Bnet account and for forums, tools, etc. the black hats have compromised practically every major such site. In the years when I was active on WoW I got phishing mails pretending to be from Blizzard to the addresses I had given on every single such site, but never once to the address I gave the real Bnet, showing just how bad the problem is.

  5. I too use the uniq address plan.

    It may be worth noting that if one gets spam, then yes, one explanation is the company's database was compromised. In theory however, it's also possible we've suffered a compromise ourselves, causing the uniq address to leak.

    This scenario is hopefully unlikely. However, actually proving it hasn't happened may not be hugely straightforward...

  6. I also have been using this scheme for a few years, but there's at least one firm that refuses to believe that they have leaked my address, despite the unique use of it, but suggest I've given it away on a forum - which I certainly haven't!
    Ah well, at least I know I can't trust them.

  7. I use suffixed addresses - I've had surprise from companies that I have an email address with their name in, but they have always accepted it without question. I find another side-effect useful... if an address is actually receiving a lot of wanted mail, it's easy for exim to filter it for me.

    I did have one odd failure that the sender never bothered to send me the full error message for - but it did work the second time they tried it.

    If a company either objects (not happened yet) or has a member of staff that can't even spell their own name (has happened once), then I use something obliquely related to the company name. When an address gets hit by a spammer (I use similar addresses for mailing lists), I put a date code and a letter somewhere in the suffix for future correct use and just feed the old one straight into spamassassin.