DynDNS.org e-mail database compromised

The compromise of the DynDNS.org e-mail database is not “news” on this day, though it may be news to YOU.  The point of this post is not to broadcast news, but to demonstrate:

  1. Why you should protect your E-Mail address.
  2. How to protect your E-Mail address.
  3. How people have a responsibility with the E-Mail addresses people have entrusted with them.

[GARD]

1. Why you should protect your E-Mail address

What do I mean by “protect” your e-mail address?  After all, you HAVE to give it to people in order for them to send you e-mail, right?  Well, kind of, but you don’t have to give everyone the SAME e-mail address.  I’ll explain shortly, but first, here’s what happens when you don’t protect your e-mail address.

You get spam

If you give out the same e-mail address to everyone (and again, I’ll show you how to not do that shortly), then at some point, someone you gave it to is going to spam you or sell it to a spammer or their user database will get compromised and your address will be stolen and sold to spammers.

You get phishing attacks

Once spammers have your e-mail address, they’ll send you fake e-mail messages trying to trick you into signing into a fake bank website or some other fake site that replicates a business you probably have an account with, then will STEAL your REAL money.

Look at what happenned to ME when a spammer somehow compromised DynDNS.org’s email database and got MY e-mail address:

DynDnsHacked

 

There are no toll roads where I live and I don’t have an account with E-Zpass (I’ve never even heard of it), so I knew immediately that this was a phishing scam, even without Google’s warning.  Also, the English is poorly written.  But, if I weren’t as alert and if Google hadn’t flagged it, AND if I were an E-ZPass customer, it’s possible I’d have been tricked, and I’m sure many other people are tricked frequently.

 

You can’t trace who leaked your address

If you give the same e-mail address to EVERYONE, then you will receive spam on that address and have no way to determine who leaked it.  In my example above with the fake “E-ZPass” phishing scam email, I know EXACTLY who’s responsible for leaking it.  It was DynDNS.org.  How do I know?  Because that phishing email was sent to an email address alias that has only EVER been given to dyndns.org and is NOT one that would have been guessed.  Here’s DynDNS’s response.  They are STILL ultimately responsible.

2. How to protect your E-Mail address

I promised above I’d tell you how.  Here it is:

  1. HOW TO STOP SPAM: BASIC TIPS
  2. HOW TO STOP SPAM: ADVANCED TIPS
  3. HOW TO STOP SPAM: EXPERT TIPS

In short, you use a different email address for EVERY website you sign up with (and that’s VERY easy to do!!!!).  View my links for instructions on how to do that.  It’s actually quite easy, but I go into detail on 3 different levels (basic – for beginners).

Once you do this, if you ever get spam, you can look at the TO address and that will reveal which website you gave that address to, which reveals who’s responsible for either spamming you, selling your address to spammers, or having compromised the protection of your e-mail address.  Then you can block that address so you don’t have to deal with the spam anymore.

In DynDNS’s case, they claim it was their e-mail marketing company that accidentally leaked the addresses.  Doesn’t matter though.  DynDNS should never have entrusted that third party or should have researched their security measures.  DynDNS is fully responsible since they’re the ones that collected the addresses.

3. How people have a responsibility with the E-Mail addresses people have entrusted with them

If you’re on the receiving end of people signing up to your website or newsletters or services of any kind, you have a moral/ethical responsibility to protect those e-mail addresses.  In DynDNS’s case, they failed.  Even though they’re claiming it was their partner marketing company that failed, the responsibility still lies on DynDNS’s shoulders.  It is YOUR (you, the custodian of other people’s addresses) responsibility to ensure the security of them.  If you share that e-mail address with others, you MUST inform your users BEFORE they give you their e-mail address as AS PART of the process of receiving their e-mail address.  It is also your responsibility to ensure the integrity of the security of the partner with whom you give those e-mail addresses.  In short, you really should NEVER give those addresses to partners.  If you need to send out mass mailings to your customers who have entrusted you with their e-mail address, you must honor that trust and have your own, in-house e-mail marketing.

YOU are the gate-keeper of those addresses and if it falls into the wrong hands, even because of lax security by a third party, it’s STILL 100% your fault.  You shouldn’t have given that trusted data to someone else OR you should have fully researched their security measures.

[GARD]

If you ever discover a breach, either internally or externally, it is your responsibility to inform all of your users as soon as you find out.