SmugMug data compromised?
marc1
Registered Users Posts: 5 Beginner grinner
Hello guys.
I recently signed up for a SmugMug account and been enjoying the service. However, something happened that I found unsettling.
Just as I do for all online services, I signed up for SmugMug with a unique email address. In other words, the email address I gave them
has never been given to anyone else. It looks something like smugmug-address@mydoamin.com
A few weeks later I started to get spam sent to that address. Some pretty hard core spam - like spoofed emails from banks asking me "re-login" to "verify" my account among many others.
While I doubt SmugMug would knowingly sell our email address to a third party (that would seem like a violation of their TOS), there might be something else going on that they are not aware of such as a security breach, dishonest employee, etc.
I contacted SmugMug telling them I think they have a problem. I got a "sorry nothing I can do for ya" sort of email response. Pretty useless and certainly did nothing to look into the matter further.
I know I am not the only person who has been effected by this. One of the spam messages I got displayed the addresses in the CC filed instead of the BCC field. I was noticed many others used the same approach I did (unique email addresses which included the word smugmug).
Most users problaby would not even notice this problem as I am sure the majority of users provided their standard email address when signing up. So any additional spam may go entirely unnoticed.
However, this is a serious problem. Aside from the fact that I really despise spam, I wonder if email addresses are being accessed, what else has been?
I would be curious to get feedback from the community or SmugMug representatives.
I recently signed up for a SmugMug account and been enjoying the service. However, something happened that I found unsettling.
Just as I do for all online services, I signed up for SmugMug with a unique email address. In other words, the email address I gave them
has never been given to anyone else. It looks something like smugmug-address@mydoamin.com
A few weeks later I started to get spam sent to that address. Some pretty hard core spam - like spoofed emails from banks asking me "re-login" to "verify" my account among many others.
While I doubt SmugMug would knowingly sell our email address to a third party (that would seem like a violation of their TOS), there might be something else going on that they are not aware of such as a security breach, dishonest employee, etc.
I contacted SmugMug telling them I think they have a problem. I got a "sorry nothing I can do for ya" sort of email response. Pretty useless and certainly did nothing to look into the matter further.
I know I am not the only person who has been effected by this. One of the spam messages I got displayed the addresses in the CC filed instead of the BCC field. I was noticed many others used the same approach I did (unique email addresses which included the word smugmug).
Most users problaby would not even notice this problem as I am sure the majority of users provided their standard email address when signing up. So any additional spam may go entirely unnoticed.
However, this is a serious problem. Aside from the fact that I really despise spam, I wonder if email addresses are being accessed, what else has been?
I would be curious to get feedback from the community or SmugMug representatives.
0
Comments
Welcome to dgrin but ouch are we sorry it's under these circumstances.
Yours isn't the only query like this we've had in the last week or so and we've been wracking our brains, trying to figure out what could possibly have happened.
But now I'm focused on the curious phenomenon that everyone who has inquired about this lives in the same state. It turns out that 3 weeks ago I made a spreadsheet of a subset of people in that state, and so far it looks like the people affected came from that subset. I'd love it if you could send another email to the help desk with your account name (or via PM on dgrin) so I can check to see if you match the pattern.
That spreadsheet was shared among four of us at SmugMug, all close members of the family. Two of us have Macs, one has a PC that I just scanned several ways and it appears clean, and we're about to scan the other one.
More as I know it. We're really sorry this happened to you but thanks for letting us know about this.
Baldy
I just PM you. Please let me know what you find out.
I also use a unique email address for each of my Smugmug accounts and I too have been hit with a recent rash of spam to that address in the last few weeks. I got some on both of my smugmug email addresses (one for each account I have).
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
I have your email to us from 12/1 saved, waiting till we have more and complete information before sending an update to you.
Stay tuned, thanks - and like Baldy said, sorry your first taste of SmugMug was a bit sour! We take this very very seriously and we're putting an all-out effort into this.
Portfolio • Workshops • Facebook • Twitter
I wasn't 100% that the source of the problem was Smugmug when it first started since I have used the affected e-mail address sparingly in other places, but now that I found this thread it seems to confirm my suspicions.
The good news is that apparently sums totalling over $10 million dollars will be soon wired into my bank account!
My Photos
My Blog
On Google+
On DrivingLine
The idea was to select people close by for party invites who are pretty active users.
Someone reported that they changed their SmugMug email address and got two spams not long after, so that wouldn't fit the spreadsheet theory.
You can add me to the spam list and at least some of the e-mails have been getting through my very good external spam filter (provided by my technical organization -- extremely aggressive).
We have a theory for how this happened and if we're right anyone who changes an email address like smugmug-abcd@ to smugmug-efgh@ shouldn't see any more spam.
I can't tell you how awful we feel and how sorry we are. To have this happen to a company that says all over its site that we hate spam and you'll never get any from us is revolting.
Can you be more specific here on what I would change to stop getting spam? I didn't quite understand.
I have two accounts. One has an email address smugmug@xxxxx.com, the other has an email address smugmug-friend@xxxxx.com.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Doesn't matter what you change them to, the change will probably foil the spammer. For example, you could change to smugmug1@xxxxx.com and smugmug2@xxxxx.com and be safe.
Two people had said they changed their email addresses and got spam again. I think that's because this spammer got ahold of the script that generated the spreadsheet and could run it repeatedly. We disabled that script so if that was the leak, which is my bet, changing your email address will do the trick.
Eh, my filter is diverting it to my anti-spam folder so I can deal with it for now. If it doesn't get any worse it's okay. My fear is that my address will proliferate throughout the spamming world and then it will get out of control.
My Photos
My Blog
On Google+
On DrivingLine
It just takes one mistake by whoever you give your email to. My biggest mistake so far was registering with my real email to the Wedding Photographers Expo, which opened me up to an unbelievable amount of spam.
I hope you are able to catch the person responsible for this.
OK, just to be clear here. I can change my smugmug email addresses, but that won't stop spam from continuing to come in on the old email addresses, right. So, if I want that stuff to stop landing in my main mailbox (all of these addresses funnel to the same mailbox), I have to filter them out or block them somehow. And, I've got to think about real people who have this email address in their address book.
FYI to those of you who use StarExplorer, you have to get Nikolai to issue a new license for you when you change your email address because it won't work anymore when you change your address. Doable, but kind of a pain and it's important to plan the timing of getting a new license/changing your address if you need to use StarExplorer.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Here's any idea, how about a @smugmug e-mail address for each account which is used for login and smugmug communications? e-mail address will only send/recieve to @smugmug.com
We do the only thing we can when something like this happens, which is to train our spam filters for the new spammers who find us. It's horrible, but if I want to keep a meaningful email address at SmugMug I have to deal with it.
You were fortunate enough to have a domain where the harvest for spammers wasn't as big as it would be at, say, IBM, so they probably weren't pounding you with guesses. It really pains us that we contributed to your relatively quiet domain getting pounded.
I love SmugMug but I do have some technical questions about this issue:
1) How was the script stolen?
2) How could the script be run remotely?
3) Can someone write a similar script and exploit the same weakness and gather other info?
4) What is being done to prevent this from happening? Basically, can other info (e.g. credit card numbers) be stolen using the same methods.
I think I would be a bit more comfortable if that excel file was someone stolen due to PC vulnerability. Having a script leaked and run leaves me a bit more worried…
Don wrote the script to fetch potential names for the party. The actual code for it wasn't stolen and we don't see how it could have been, but we think the way you fire it probably was.
The way you fire it is to go to a certain obscure URL that seemed impossible to guess.
For example, when you submit a certain URL to SmugMug, you get the browse page. Submit a certain different one, you get your home page. You could guess those, but it seemed impossible to guess the one he created to list email addresses for our California customers.
Don sent the URL to Mark, who entered it into Firefox's address bar. That fired the script and populated a Firefox window with the data, which Mark saved as a file and imported into a spreadsheet.
Our theory is the URL was intercepted when it was submitted from Firefox, possibly by a toolbar like Alexa's. Had we made the resulting script executable only if you entered a password, this wouldn't have happened.
Clear as mud?
As I was sending emails to customers to invite them, I was asking myself if our invites were spam. I made sure they came from my email address and that I addressed them all by first name. I chose only customers who were active and in our area who I thought would appreciate knowing about the party. Everyone who responded seemed incredibly grateful to get the invite.
But I was thinking, "Since we don't spam we're not good at this." So we were on high alert for anything that could go wrong.
I'd give up having the great party we had in trade for not making this goof if I could.
Thanks,
Baldy
How he got the URL is still a mystery, but there's no more doubt about how he got the email addresses.
additionally, there seems to be no pattern in the emails that have been sent to my smugmug address.
Baldy, were you able to get an IP?
Actually, in addition to password, I would have thought a system like that should have only been accessible from behind a Smugmug-internal firewall. That's how most companies (even small companies) deal with internal systems - it takes an act of God and a lot of security review to let something that contains internal business information or customer information ever be accessible outside the corporate firewall.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
This has cost me a lot of time and hassle. And I never did get a party invitation. How about a free lifetime account? I think I get that if I say hi to Don at a conference while wearing a SmugMug baseball cap. That sounds a lot easier than what I've been through with all this spam and trying to figure out what was going on and trying to explain it to SM and complaining to my wife about it for the past two weeks. Or at least a baseball cap and a party invite. I really do need a new baseball cap, and I haven't been to a party in quite some time.
Happy to hook you and your wife up with hats, T-shirts (specify size) and camera straps.
I'm sorry to hear you didn't get an answer from us the first time you mailed. It's possible there was human error invovled but more likely one of our emails got caught by the other's spam trap (ironic). We're pretty good at answering all our mail.
We did take this too lightly in the beginning, however, and apologize.
The spirit is willing but the flesh is weak on giving away free lifetime accounts for this. Unfortunately, as awful as it is to say, there are too many accounts involved. :cry
Actually, owning two ibm.com email addresses that are both blatantly obvious, one straight out of a dictionary, the other a first initial + last name combo that's ludicrously obvious, I can tell you it's AMAZING how little spam makes it through. That's what having an email system that's utterly incompatible with the rest of the world does for you. (That and I know at the gateways spanning the firewall they have a ludicrous amount of scanning and processing, at least that's the claim for why it sometimes takes 6 hours for email to get through. They even scan internal mail, looking for folks on the inside that are infected.)
That said, wow, this thread is kinda scary.
http://wall-art.smugmug.com/
PM sent.
Anything to do with this? Or one of the 2 ways the UK government has compromised my data in the last month!
wouldn't be surprised...<img src="https://us.v-cdn.net/6029383/emoji/rolleyes1.gif" border="0" alt="" >
more as a sidenote - I am amazed how quickly any new email address I create gets spammed; all and any with .ntlworld.com (my ISP) get almost instant spamming, so someone has got access their records by the look of it
So the spambots or whatever it's called seem to be pretty well established in areas that should be secure across the globe:
(who knows maybe even further:s85),
- but which obvioulsy aren't secure, it's the ubiquity of the problem that is astonishing , it's like a fungus, its spores seem to be everywhere just waiting...:yikes
...pics..