Earlier today I received several emails of the form:
Return-path: firstname.lastname@example.org Envelope-to: email@example.com Delivery-date: Wed, 01 Jun 2011 00:58:02 +0000 Received: from impaqm2.telefonica.net ([220.127.116.11] helo=telefonica.net) by bitfolk.com with esmtp (Exim 4.69) (envelope-from <firstname.lastname@example.org>) id 1QRZl3-0006v3-06 for email@example.com; Wed, 01 Jun 2011 00:58:02 +0000 Received: from IMPmailhost3.adm.correo ([10.20.102.124]) by IMPaqm2.telefonica.net with bizsmtp id qQYS1g01y2h2L9m3MQlr7A; Wed, 01 Jun 2011 02:45:51 +0200 Received: from sd-1622.dedibox.fr ([18.104.22.168]) by IMPmailhost3.adm.correo with BIZ IMP id qQlq1g00D3KS0VC1jQlqTB; Wed, 01 Jun 2011 02:45:5 +0200 X-Brightmail-Tracker: ?? X-original-sender: firstname.lastname@example.org Received: from [22.214.171.124] by sd-1622.dedibox.fr id 96YxWPB6QbSt with SMTP; Wed, 01 Jun 2011 02:52:25 +0200 Date: Wed, 01 Jun 2011 02:52:25 +0200 From: Support <email@example.com> X-Mailer: The Bat! (v4.05.2) Personal X-Priority: 3 (Normal) Message-ID: <firstname.lastname@example.org> To: XXXX <email@example.com> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 8bit Subject: Your order reference is 1460489
Dear User, XXXX.
Your order has been accepted.
Your order reference is 18973.
Terms of delivery and the date can be found with the auto-generated msword
file located at:
Best regards, ticket service.
Tel.: (050) 404 53 824
The above is verbatim other than I’ve replaced my email address with “firstname.lastname@example.org” and the “XXXX” is actually a password that I’ve used on multiple web sites.
I assume that the linked Zip file is a trojan; I haven’t looked at it.
Does anyone else who’s received the same email know which site it might be who’s leaked or sold their user database?
Please don’t contact me to tell me that I should use a different password on every web site. That is impractical for me; I already use several different classes of password and the one in the email is one I only use on the most trivial sites. I’m not particularly worried over what details have been leaked, I’m more interested in which site leaked because whoever they are, they store their passwords in the clear.
I also can’t tell by email address. They seem to have used my generic email address, so this would be from before I started using a unique email address for each site.
Sites which it is not:
Amazon, Apple, The Book Depository, Ebay, Facebook, Forbidden Planet, Giffgaff, Lulu, Moonpig, Novatech, PayPal, Play, T-Mobile, Twitter
(either I’m not a user of these services or my email/password there isn’t what were used)
Update 2010-Jun-02: It was Friendster.
Reporting it was hard work, but they did eventually agree to look into it.