Which site’s database got sold/leaked?

Earlier today I received several emails of the form:

Return-path: macdaddy@dedibox.fr
Envelope-to: andy@example.com
Delivery-date: Wed, 01 Jun 2011 00:58:02 +0000
Received: from impaqm2.telefonica.net ([213.4.138.10]
        helo=telefonica.net)
        by bitfolk.com with esmtp (Exim 4.69)
        (envelope-from <macdaddy@dedibox.fr>)
        id 1QRZl3-0006v3-06
        for andy@example.com; Wed, 01 Jun 2011 00:58:02 +0000
Received: from IMPmailhost3.adm.correo ([10.20.102.124])
        by IMPaqm2.telefonica.net with bizsmtp
        id qQYS1g01y2h2L9m3MQlr7A; Wed, 01 Jun 2011 02:45:51
        +0200
Received: from sd-1622.dedibox.fr ([88.191.14.154])
        by IMPmailhost3.adm.correo with BIZ IMP
        id qQlq1g00D3KS0VC1jQlqTB; Wed, 01 Jun 2011 02:45:5
        +0200
X-Brightmail-Tracker: ??
X-original-sender: electricidadromero@telefonica.net
Received: from [88.191.14.154] by sd-1622.dedibox.fr id
        96YxWPB6QbSt with SMTP; Wed, 01 Jun 2011 02:52:25
        +0200
Date: Wed, 01 Jun 2011 02:52:25 +0200
From: Support <macdaddy@dedibox.fr>
X-Mailer: The Bat! (v4.05.2) Personal
X-Priority: 3 (Normal)
Message-ID: <0288215865.30146090204853@sd-1622.dedibox.fr>
To: XXXX <andy@example.com>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="windows-1252"
Content-Transfer-Encoding: 8bit
Subject: Your order reference is 1460489

Dear User, XXXX.

Your order has been accepted.

Your order reference is 18973.

Terms of delivery and the date can be found with the auto-generated msword
file located at:
http://www.macarthurmumsnbubs.com/Orders/Orders.zip?id:11190401Generation_mail=andy@example.com

============================
Best regards, ticket service.
Tel.: (050) 404 53 824

The above is verbatim other than I’ve replaced my email address with “andy@example.com” and the “XXXX” is actually a password that I’ve used on multiple web sites.

I assume that the linked Zip file is a trojan; I haven’t looked at it.

Does anyone else who’s received the same email know which site it might be who’s leaked or sold their user database?

Please don’t contact me to tell me that I should use a different password on every web site. That is impractical for me; I already use several different classes of password and the one in the email is one I only use on the most trivial sites. I’m not particularly worried over what details have been leaked, I’m more interested in which site leaked because whoever they are, they store their passwords in the clear.

I also can’t tell by email address. They seem to have used my generic email address, so this would be from before I started using a unique email address for each site.

Any ideas?

Sites which it is not:

Amazon, Apple, The Book Depository, Ebay, Facebook, Forbidden Planet, Giffgaff, Lulu, Moonpig, Novatech, PayPal, Play, T-Mobile, Twitter

(either I’m not a user of these services or my email/password there isn’t what were used)

Update 2010-Jun-02: It was Friendster.

Reporting it was hard work, but they did eventually agree to look into it.

11 thoughts on “Which site’s database got sold/leaked?

  1. I also received this one this morning with a real password in the opening line, also from a dedibox.fr address. The zip file contains a file named something like Order.docx_______________________.exe, so yes – a trojan.

    If it’s a single list (rather than a composite of several stolen databases), then it’s definitely NOT any of the following:
    Twitter; Facebook; Play; Amazon; eBay; Lulu; The Book Depository; MoonPig; Novatech; GiffGaff; T-Mobile; Forbidden Planet; Apple.

    The only one I’ve find which matches the combination of password/email from my own accounts so far is VMWare. Hm.

  2. Thanks for posting this, which I found using the sd-1662 reference. I too got something similar:

    Dear client,
    Thank you for the order,
    your credit card will be charged for 247 dollars.
    For more information, please visit our web site:
    http://dealiolocal.com/Orders/Orders.zip?id:344933Generation_mail=

    I used an anonymous proxy to visit the link but didn’t download the zip file.

    I tried emailing abuse@support.dedibox.fr and it was bounced. I also wonder how dealiolocal.com has been compromised in this way.

    1. Moomin, I think the email I (and Tara) received is from a later evolution of this because instead of “Dear client” I got “Dear XXXX” where “XXXX” is an actual plain text password I have used.

      There are also more examples of the attack payload and email text out there, but none of these include a password, so I think this attacker has either evolved or taken someone else’s attack and tried to step it up.

  3. I agree that getting a password in an attack email is a new and disturbing experience. Let’s see if you get some more comments on this and if anyone is able to use any of this posted info to nail the perp.

  4. According to someone on my twitterfeed it was Friendster (this person used a unique address for that site).

  5. The spam mails I’m getting are just like yours. I’m 100% sure mine leaked from friendster. Only place which I’ve used manar-friendster@ivision.co.uk as my email address :). Moreover I can’t recall when I last actually logged into friendster.

  6. Amazing…like Manar, I hadn’t logged onto my friendster account in ages…well over a year or two!

  7. Definitely Friendster, I got one of these emails, and because Friendster only allow ten characters my password was snipped. That’s the only place where I use that password, but with the last four characters missing.

    Thanks for letting me know what you’d found out.

Leave a Reply to Susan Cancel reply

Your email address will not be published. Required fields are marked *