Day: June 1, 2011

Which site’s database got sold/leaked?

Posted on by Andy

Earlier today I received several emails of the form:

Return-path: macdaddy@dedibox.fr
Envelope-to: andy@example.com
Delivery-date: Wed, 01 Jun 2011 00:58:02 +0000
Received: from impaqm2.telefonica.net ([213.4.138.10]
        helo=telefonica.net)
        by bitfolk.com with esmtp (Exim 4.69)
        (envelope-from <macdaddy@dedibox.fr>)
        id 1QRZl3-0006v3-06
        for andy@example.com; Wed, 01 Jun 2011 00:58:02 +0000
Received: from IMPmailhost3.adm.correo ([10.20.102.124])
        by IMPaqm2.telefonica.net with bizsmtp
        id qQYS1g01y2h2L9m3MQlr7A; Wed, 01 Jun 2011 02:45:51
        +0200
Received: from sd-1622.dedibox.fr ([88.191.14.154])
        by IMPmailhost3.adm.correo with BIZ IMP
        id qQlq1g00D3KS0VC1jQlqTB; Wed, 01 Jun 2011 02:45:5
        +0200
X-Brightmail-Tracker: ??
X-original-sender: electricidadromero@telefonica.net
Received: from [88.191.14.154] by sd-1622.dedibox.fr id
        96YxWPB6QbSt with SMTP; Wed, 01 Jun 2011 02:52:25
        +0200
Date: Wed, 01 Jun 2011 02:52:25 +0200
From: Support <macdaddy@dedibox.fr>
X-Mailer: The Bat! (v4.05.2) Personal
X-Priority: 3 (Normal)
Message-ID: <0288215865.30146090204853@sd-1622.dedibox.fr>
To: XXXX <andy@example.com>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="windows-1252"
Content-Transfer-Encoding: 8bit
Subject: Your order reference is 1460489

Dear User, XXXX.

Your order has been accepted.

Your order reference is 18973.

Terms of delivery and the date can be found with the auto-generated msword
file located at:
http://www.macarthurmumsnbubs.com/Orders/Orders.zip?id:11190401Generation_mail=andy@example.com

============================
Best regards, ticket service.
Tel.: (050) 404 53 824

The above is verbatim other than I’ve replaced my email address with “andy@example.com” and the “XXXX” is actually a password that I’ve used on multiple web sites.

I assume that the linked Zip file is a trojan; I haven’t looked at it.

Does anyone else who’s received the same email know which site it might be who’s leaked or sold their user database?

Please don’t contact me to tell me that I should use a different password on every web site. That is impractical for me; I already use several different classes of password and the one in the email is one I only use on the most trivial sites. I’m not particularly worried over what details have been leaked, I’m more interested in which site leaked because whoever they are, they store their passwords in the clear.

I also can’t tell by email address. They seem to have used my generic email address, so this would be from before I started using a unique email address for each site.

Any ideas?

Sites which it is not:

Amazon, Apple, The Book Depository, Ebay, Facebook, Forbidden Planet, Giffgaff, Lulu, Moonpig, Novatech, PayPal, Play, T-Mobile, Twitter

(either I’m not a user of these services or my email/password there isn’t what were used)

Update 2010-Jun-02: It was Friendster.

Reporting it was hard work, but they did eventually agree to look into it.