# Epsilon; Email Concern



## Earl Bonovich (Nov 15, 2005)

Oh boy... Given the fact that as of this morning, I have now received emails from 9 major companies so far (Chase, BestBuy, Hilton Honors just to name a few).

It looks like the email clearing house/mail service, Epsilon had a breach that exposed our names and email address.

(Note, I do not know what service DIRECTV uses).

So keep your eyes open on any incomming emails you get.

But I see in the very near future, a change (again), in my email address.
My increase in spam of my less then 2 year old email address, is now getting back up to 35-50 a day. (my old address was getting over 200)... and this is POST filtering.


----------



## HDJulie (Aug 10, 2008)

I just got an email from Chase about it.

I have many email addresses. I have hotmail that I use for whatever needs a valid email address but I don't trust not to spam me, I have my personal domain email address that I use for friends & family, & I have gmail that I use for businesses, banks, etc -- things that require an email address & are most likely not going to spam me. Gmail does a great job of filtering out what spam I do get to that address.


----------



## Hutchinshouse (Sep 28, 2006)

+1

got a few emails so far.


----------



## spartanstew (Nov 16, 2005)

Got a couple yesterday warning of this. No biggie. My Gmail works great with Spam. I get a couple hundred per day and never see any of them (unless I look in my spam folder).


----------



## Sixto (Nov 18, 2005)

Same here, have gotten 3 today about the e-mail breach.


----------



## gpg (Aug 19, 2006)

Yep, the notices keep piling up. I'd hate to be responsible for Epsilon's marketing ans sales department right now.


----------



## dpeters11 (May 30, 2007)

I rarely get actual spam in my inbox on gmail, so likely won't bother to do anything. I'm not vulnerable to phishing schemes, and that is the main concern. Fortunately, my mother is generally not either, but who knows what my father would do if he got an email "from" his bank. I'm hoping OpenDNS's Phishtank will protect him.


----------



## SayWhat? (Jun 7, 2009)

There are a few stories on various news and tech security websites about it.


----------



## SayWhat? (Jun 7, 2009)

FYI, I got something supposedly from UPS about a package being delivered to my house. This was at an email address I don't think I've ever used for UPS and it was not in their normal shipping notice format. The kicker was that it had a .zip file attached that I was supposed to open for the shipping information.

Yeah, right buddy. Ain't happenin'. Went straight for the delete button on that one.


----------



## dpeters11 (May 30, 2007)

SayWhat? said:


> FYI, I got something supposedly from UPS about a package being delivered to my house. This was at an email address I don't think I've ever used for UPS and it was not in their normal shipping notice format. The kicker was that it had a .zip file attached that I was supposed to open for the shipping information.
> 
> Yeah, right buddy. Ain't happenin'. Went straight for the delete button on that one.


Good choice, that was an actual virus.


----------



## Tom Robertson (Nov 15, 2005)

So far my yahoo account hasn't seen a SPAM uptick yet, they've been pretty good at SPAM filtering.

Cheers,
Tom


----------



## klang (Oct 14, 2003)

I seem have dodged this one, no notices so far.

There is a variant on the UPS delivery scam, something about a prescription delivery. My sister in-law's husband was taken in this morning. It installs a virus called Clean This which pretends to be a virus scanner. He called me. :eek2:

Damn thing is active even booted into safe mode. I finally told him to take it the Geek Squad at Best Buy. Talking him through command line and registry edit wasn't going to happen and I'm not flying to Florida.


----------



## klang (Oct 14, 2003)

klang said:


> I seem have dodged this one, no notices so far.


Scratch that, just got a love note from Walgreens. I don't remember signing up for their site.


----------



## AttiTech (Feb 21, 2011)

I haven't noticed any of the emails, I'm using gmail as well so all the spam probably didn't hit my inbox


----------



## AttiTech (Feb 21, 2011)

klang said:


> Scratch that, just got a love note from Walgreens. I don't remember signing up for their site.


Who signs up for love? Oh right, everyone who uses internet dating sites. In your case you are dating the internet....hmmm


----------



## The Merg (Jun 24, 2007)

Yup. I got one from Best Buy. It was to an old e-mail address I don't use anymore, but must be what I signed up for them with. Even then, I hardly ever get spam e-mails now. The one that keeps showing up is one from an AOL address that originates out of China. I just ignore it.

- Merg

Sent from my iPod touch using DBSTalk


----------



## Marlin Guy (Apr 8, 2009)

I guess I'm a bit unclear as to where the breach occurred.
Was it related to the forum or to DirecTV?


----------



## Earl Bonovich (Nov 15, 2005)

Marlin Guy said:


> I guess I'm a bit unclear as to where the breach occurred.
> Was it related to the forum or to DirecTV?


Neither...

http://www.engadget.com/2011/04/03/tivo-email-database-compromised-by-epsilon-security-breach-spam/

(Note I only selected this link because it is Engadget).

I have receive a hand full more notices today as well.


----------



## Alan Gordon (Jun 7, 2004)

TiVo on Saturday, and Best Buy today... 

~Alan


----------



## hdtvfan0001 (Jul 28, 2004)

I'm sure they'll try to keep it hush hush in the press....but base on the client list....this is going to be a large security breach in terms of the number of people potentially impacted. 

It may also not be a major problem, depending on when they discovered it, what they learned, and if they've found the culprit.

We'll just have to be on the alert.


----------



## dpeters11 (May 30, 2007)

I got an email tonight from Target to add to the list.


----------



## MikeW (May 16, 2002)

Got a few of those over the weekend. One of them is from CollegeBoard.org. Guess Epsilon is quite diverse. Here's to a summer of spam


----------



## tcusta00 (Dec 31, 2007)

Marlin Guy said:


> I guess I'm a bit unclear as to where the breach occurred.
> Was it related to the forum or to DirecTV?


:scratchin Huh?


----------



## The Merg (Jun 24, 2007)

Well, I just got an e-mail from Citibank Business, which would be due to my credit card account I have for my side business. Will be interesting as I've never gotten a spam e-mail at my side business e-mail. I guess if I do, I know why...

- Merg


----------



## Marlin Guy (Apr 8, 2009)

tcusta00 said:


> :scratchin Huh?


In the English language, the use of the word "our" generally refers to oneself and present company.
It's not that complicated.



Earl Bonovich said:


> It looks like the email clearing house/mail service, Epsilon had a breach that exposed our names and email address.
> 
> (Note, I do not know what service DIRECTV uses).


----------



## tcusta00 (Dec 31, 2007)

Marlin Guy said:


> In the English language, the use of the word "our" generally refers to oneself and present company.
> It's not that complicated.


Yeah, he was referring to "our" as in - the whole world that's ever registered an email address with any retailer. Our - the collective whole of this forum's participants.

Did I do something to offend you? Is there really a need for the overt sarcasm and belittling?


----------



## redsoxfan26 (Dec 7, 2007)

SayWhat? said:


> FYI, I got something supposedly from UPS about a package being delivered to my house. This was at an email address I don't think I've ever used for UPS and it was not in their normal shipping notice format. The kicker was that it had a .zip file attached that I was supposed to open for the shipping information.
> 
> Yeah, right buddy. Ain't happenin'. Went straight for the delete button on that one.


I've gotten a few of those also. Crazy... :eek2:


----------



## fluffybear (Jun 19, 2004)

redsoxfan26 said:


> I've gotten a few of those also. Crazy... :eek2:


Got one of those over the weekend. Mine was .RAR file format.


----------



## The Merg (Jun 24, 2007)

"fluffybear" said:


> Got one of those over the weekend. Mine was .RAR file format.


Well, it wasn't a zip file so it must be legit. :lol:

- Merg

Sent from my iPod touch using DBSTalk


----------



## Marlin Guy (Apr 8, 2009)

tcusta00 said:


> Did I do something to offend you? Is there really a need for the overt sarcasm and belittling?


:scratchin Huh?


----------



## tcusta00 (Dec 31, 2007)

"Marlin Guy" said:


> :scratchin Huh?


So you were offended at my confused smiley and "huh?" response to your confused smiley post so you responded with sarcasm and unnecessary belittling. I understand. But still not sure why I deserved that. Not exactly a way to carry on a conversation.


----------



## Stewart Vernon (Jan 7, 2005)

This reminds me of the point I always make when companies try and sell me identity-theft-protection...

I'm not the one being careless with my identity... The businesses and banks are the ones getting hacked and leaking info... and on top of that they are the ones allowing people to "steal" your identity without properly verifying who they are talking to... so why do I have to pay and clean up after their mistakes?


----------



## SayWhat? (Jun 7, 2009)

hdtvfan0001 said:


> I'm sure they'll try to keep it hush hush in the press....


Not hardly, It's been all over the press.


----------



## Sixto (Nov 18, 2005)

Between this and RSA getting hacked through that Adobe issue, not a good time for security lately.


----------



## bobnielsen (Jun 29, 2006)

My ISP uses gmail and very rarely does anything get through (and when it does, Apple Mail usually catches it). I check periodically to catch the false positives, however. I haven't seen anything unusual recently.


----------



## Mikemok1981 (Jul 9, 2009)

Sixto said:


> Between this and RSA getting hacked through that Adobe issue, not a good time for security lately.


Then Comodo getting hacked and all the false Certificates that came out from that and PSN supposedly getting hacked by Annonymous, no doubt a bad time for security.


----------



## The Merg (Jun 24, 2007)

Well, add 800-Flowers and Hilton Honors program to those that use Epsilon. Just got an e-mail today from both of them...

- Merg


----------



## SayWhat? (Jun 7, 2009)

Stewart Vernon said:


> I'm not the one being careless with my identity... The businesses and banks are the ones getting hacked and leaking info... and on top of that they are the ones allowing people to "steal" your identity without properly verifying who they are talking to... so why do I have to pay and clean up after their mistakes?


Yeah, I'm pretty tight with what I put on the web. My name is NEVER posted on the web anywhere. The only places that have a name, address and phone number are banks, CC companies and retailers, which of course are some of the ones affected here. It kinda' peaves me off when they send out emails that include my full name though. They seem to think it allays fears of phishing and makes the emails more legit.

However, this is one reason I stopped using my full name even with retailers and subscription sites like webhosting companies. I now request a second card for each CC with an alternate name, or with just my first and middle initials and last name and an alternate billing address. That way I can use the alternate info on retailers' sites and still have the CC work with the AVS systems.


----------



## kocuba (Dec 29, 2006)

Have gotten a total of 7 wanring emails as of today (Chase,BofA,Walgreens..)

And got my first phishing email from that today(Chase)

"_dear client_...."

yeah like I'm gonna fall for that.


----------



## scooper (Apr 22, 2002)

Jeese - I'm not getting anything from any of those companies - legit or not...


----------



## wilbur_the_goose (Aug 16, 2006)

Folks - SPAM is the least of your concerns.

I'm in IT security, and the common thinking is that these e-mail addresses will be used for later spear phishing attacks. (http://www.fbi.gov/news/stories/2009/april/spearphishing_040109)

Spam is like 1st grade hacking compared to this type of attack.


----------



## fluffybear (Jun 19, 2004)

The Merg said:


> Well, add 800-Flowers and Hilton Honors program to those that use Epsilon. Just got an e-mail today from both of them...
> 
> - Merg


Might as well add tot hose already mentioned:

Walgreens
Target
Tivo
FIA Card Services
Ameriprise Financial
US Bank


----------



## dpeters11 (May 30, 2007)

wilbur_the_goose said:


> Folks - SPAM is the least of your concerns.
> 
> I'm in IT security, and the common thinking is that these e-mail addresses will be used for later spear phishing attacks. (http://www.fbi.gov/news/stories/2009/april/spearphishing_040109)
> 
> Spam is like 1st grade hacking compared to this type of attack.


Very true. I just read that Conde Nast was a spear phishing victim to the tune of $8 million.

I'm just glad that if the data taken was only what was reported, that spear phishing is all they can do.


----------



## fluffybear (Jun 19, 2004)

Mrs. Fluffybear said she just received noticed from Children's Place..


----------



## spartanstew (Nov 16, 2005)

I got an Email from Chase today warning me of the breach.
Don't usually get Emails from them.
In order to help ensure I was protected, the Email instructed me to click
On a link, enter my current password and then change the password.
That was nice of them to send that and I took care of it immediately. Feeling
Safer already.


----------



## Tom Robertson (Nov 15, 2005)

spartanstew said:


> I got an Email from Chase today warning me of the breach.
> Don't usually get Emails from them.
> In order to help ensure I was protected, the Email instructed me to click
> On a link, enter my current password and then change the password.
> ...


Unless you got phished or spear phished...


----------



## SayWhat? (Jun 7, 2009)

spartanstew said:


> I got an Email from Chase today warning me of the breach.
> Don't usually get Emails from them.
> In order to help ensure I was protected, the Email instructed me to click
> On a link, enter my current password and then change the password.
> ...


I don't see a sarcasm tag or a rolleyes smiley, so just in case you're not joking, make sure you go direct to the bank site (not an emailed link) and change your PW.


----------



## spartanstew (Nov 16, 2005)

SayWhat? said:


> I don't see a sarcasm tag or a rolleyes smiley, so just in case you're not joking, make sure you go direct to the bank site (not an emailed link) and change your PW.


Look closer


----------



## AttiTech (Feb 21, 2011)

Mikemok1981 said:


> Then Comodo getting hacked and all the false Certificates that came out from that and PSN supposedly getting hacked by Annonymous, no doubt a bad time for security.


Ahh, Anon. Your Early to Mid-Twenty somethings who wear masks outside of religious buildings. What an interesting time I had with those fellows a couple of years back. Know a few of their hackers who helped start the ball rolling back when they wanted nothing more than to take down Scientology. Friends of mine? Yes. Idiots? Most definitely. :lol:


----------



## tcusta00 (Dec 31, 2007)

spartanstew said:


> Look closer


as if the haiku on acid style wasn't hint enough...


----------



## spartanstew (Nov 16, 2005)

tcusta00 said:


> as if the haiku on acid style wasn't hint enough...


Well, I thought so.


----------



## wingrider01 (Sep 9, 2005)

fluffybear said:


> Might as well add tot hose already mentioned:
> 
> Walgreens
> Target
> ...


Here is a larger list

http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands


----------



## fluffybear (Jun 19, 2004)

wingrider01 said:


> Here is a larger list
> 
> http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands


If I go with that list, I should be hearing from a few more as I do business with at least 17 names on that list and have only heard from 9 so far.


----------



## klang (Oct 14, 2003)

I wonder if we will ever hear any details about this. 

Was it a hacker or an inside job? 
Does Epsilon store all client data together in one big database? If so did the clients know this?

I wouldn't want to be there for the next security audit. :lol:


----------



## The Merg (Jun 24, 2007)

Hmmm... Just got an e-mail from Chase. As far as I know, I've never had an account with Chase... Now, just like all the other ones I've been notified of, it is for an older e-mail address that I don't use anymore, so I guess I could have registered with a Chase affiliated site at some point in time.

- Merg


----------



## fluffybear (Jun 19, 2004)

The Merg said:


> Hmmm... Just got an e-mail from Chase. As far as I know, I've never had an account with Chase... Now, just like all the other ones I've been notified of, it is for an older e-mail address that I don't use anymore, so I guess I could have registered with a Chase affiliated site at some point in time.
> 
> - Merg


Chase has their hands in a lot of pots. A couple of years back, we learned that our life insurance policy had been sold to Chase.

Chase also manages a number of cards including (but not limited to) the following:

AAA Rewards Visa Credit Card (Northern California, Nevada, Utah)
AARP Platinum Visa
AARP Rewards Platinum Visa Credit Card
Air BP Visa
Amazon.com Platinum Visa Credit Card
American Kennel Club Rewards Visa
California Association of Realtors Credit Card
Classic Industries Platinum Visa Credit Card
Coldwater Creek Credit Card
Continental World MasterCard
Disney Credit Card
GM Business Credit Card
Hess Visa Platinum Card from Chase
Honda Rewards Visa Credit Card
Irving Platinum Visa Credit Card
Marathon Platinum MasterCard from Chase
Marriott Rewards Premier Visa Signature Card
Marriott Rewards Signature Visa Card
Marriott Rewards Visa Business Card
National Geographic Platinum MasterCard
OneCause Platinum Visa Credit Card
optionsXpress Platinum Visa
Priority Club Rewards Business Credit Card
Priority Club Rewards Platinum Visa Card
Sheetz MasterCard
Sony Card Rewards
Southwest Airlines Business Credit Card
Southwest Airlines Rapid Rewards Visa
Speedway SuperAmerica Platinum MasterCard
Subaru Platinum MasterCard
United Mileage Plus Visa
UPS Store Visa Business Card


----------



## Stewart Vernon (Jan 7, 2005)

I'm surprised I haven't seen this question asked... so I will...

Why are all these places using a third party to send customer emails anyway?

I mean... they have to have internet... they have to have your email address... they have to generate the content that they want to email to you and send it somewhere...

So why not send it directly?

Why contract a third party just to send customer emails?

That seems quite wasteful.

It would be like if I hired a guy to take mail from my door to the end of my driveway and put the flag up for me... It makes no sense.


----------



## SayWhat? (Jun 7, 2009)

^^ It's the corporate way.


----------



## wingrider01 (Sep 9, 2005)

Stewart Vernon said:


> I'm surprised I haven't seen this question asked... so I will...
> 
> Why are all these places using a third party to send customer emails anyway?
> 
> ...


It is cheaper and easier then doing it yourself. Used to work for a company that did email blasts to current subjects - about 300 - 400K a month, we used a smaller firm that was dedicated to doing just this, their senders email addresses where on all the white lists and being valid email blasts. even at 300 - 400K a month, epsilon would not even give us price quotes becasue the amount was to low for them to bother with


----------



## wilbur_the_goose (Aug 16, 2006)

spartanstew said:


> I got an Email from Chase today warning me of the breach.
> Don't usually get Emails from them.
> In order to help ensure I was protected, the Email instructed me to click
> On a link, enter my current password and then change the password.
> ...


Nice!

BTW, Thanks for illustrating the type of attack that we'll see very soon.


----------



## Stewart Vernon (Jan 7, 2005)

wingrider01 said:


> It is cheaper and easier then doing it yourself. Used to work for a company that did email blasts to current subjects - about 300 - 400K a month, we used a smaller firm that was dedicated to doing just this, their senders email addresses where on all the white lists and being valid email blasts. even at 300 - 400K a month, epsilon would not even give us price quotes becasue the amount was to low for them to bother with


How can it possibly be cheaper and easier for someone else to send your emails for you?

Like I said... using Chase as an example...

Someone at Chase has to collect all the email addresses and maintain a database... Someone at Chase has to compose the email that they want to send to their customers... and someone at Chase has to send that email to the third party... who then sends it to the database that Chase already has?

Why wouldn't it be easier and cheaper for Chase to send that email to the distribution list instead of the third party?

It takes me the exact same effort to send an email to one person as it does to send it to one large distribution list.

It just opens the door to someone else having access to personal information and another database to be hacked.

I guess I should start going around the neighborhood and start selling my mailing/checking mail services to all my neighbors so I can take the mail from them to their driveway mailbox


----------



## tcusta00 (Dec 31, 2007)

"Stewart Vernon" said:


> How can it possibly be cheaper and easier for someone else to send your emails for you?
> 
> Like I said... using Chase as an example...
> 
> ...


What about kicked back emails? Servers? Server loads? Don't know that much about it but certainly it's not as simple as you're illustrating it to be or else these companies wouldn't be doing it.


----------



## The Merg (Jun 24, 2007)

spartanstew said:


> I got an Email from Chase today warning me of the breach.
> Don't usually get Emails from them.
> In order to help ensure I was protected, the Email instructed me to click
> On a link, enter my current password and then change the password.
> ...


!rolling

- Merg


----------



## dmspen (Dec 1, 2006)

Right after this was announced, emails started getting to sent to people with my email address. I did receive multiple emails telling me my email had been compromised.

Here's my question...Is it possible that these emails being sent by me to addresses in my address book are a result of this Epsilon issue? Or did my email account get hacked?


----------



## The Merg (Jun 24, 2007)

tcusta00 said:


> What about kicked back emails? Servers? Server loads? Don't know that much about it but certainly it's not as simple as you're illustrating it to be or else these companies wouldn't be doing it.


That's my thinking as well. Also, I wouldn't be surprised if Chase doesn't even maintain the database of e-mail addresses either. That maintenance is also probably outsourced to Epsilon.

- Merg


----------



## spartanstew (Nov 16, 2005)

tcusta00 said:


> What about kicked back emails? Servers? Server loads? Don't know that much about it but certainly it's not as simple as you're illustrating it to be or else these companies wouldn't be doing it.


They also track which Emails were opened, which were forwarded, etc. and provide data on those figures. Additionally, they provide the streamlined means for customers to opt out (unsubscribe) and do all the tracking of those figures as well - and it's not very expensive.


----------



## armophob (Nov 13, 2006)

Chase, Scottrade, and Collegeboard in a few days

I care more about the complaints of people who get emails from "my" address


----------



## The Merg (Jun 24, 2007)

fluffybear said:


> Chase has their hands in a lot of pots. A couple of years back, we learned that our life insurance policy had been sold to Chase.
> 
> Chase also manages a number of cards including (but not limited to) the following:
> 
> ...


The only credit cards I have are Citibank and American Express. I do have a store credit card from The Roomstore, so I guess Chase could manage that.

- Merg


----------



## wingrider01 (Sep 9, 2005)

spartanstew said:


> They also track which Emails were opened, which were forwarded, etc. and provide data on those figures. Additionally, they provide the streamlined means for customers to opt out (unsubscribe) and do all the tracking of those figures as well - and it's not very expensive.


now that i am in the office I looked at my monthly charge for the bulk email firm we use - 300 - 400k emails a month for approximately 1,200.00. To try and do that ourselves with all the hardware, bandwidth, pesonnell cost would never be able to hit that cost per month. ROI is better not to reinvent the wheel and out source it.


----------



## AttiTech (Feb 21, 2011)

Change for me here, I ended up getting one from Chase yesterday morning.


----------



## SayWhat? (Jun 7, 2009)

Stewart Vernon said:


> How can it possibly be cheaper and easier for someone else to send your emails for you?


How can it be cheaper or easier for Dell and Direct to farm all their customer service calls out to India?

How can it be cheaper and easier for corporations to hire an outside firm to process their payroll and other accounting operations?

Instead of paying someone $25/hr or more to do something, you outsource to another company or country who can/will do it for $5/hr.


----------



## Stewart Vernon (Jan 7, 2005)

tcusta00 said:


> What about kicked back emails? Servers? Server loads? Don't know that much about it but certainly it's not as simple as you're illustrating it to be or else these companies wouldn't be doing it.


I know I was oversimplifying a little... But couldn't one part-time employee be in charge of all that instead of exposing the information to a third party?

There's a lot of outsourcing these days that just doesn't make sense to me.



spartanstew said:


> They also track which Emails were opened, which were forwarded, etc. and provide data on those figures. Additionally, they provide the streamlined means for customers to opt out (unsubscribe) and do all the tracking of those figures as well - and it's not very expensive.


True... but since the companies in question also have to deal with emails from customers for other things... like billing error inquiries (for example)... don't they still have to have someone in-house capable of handling all that anyway?



SayWhat? said:


> How can it be cheaper or easier for Dell and Direct to farm all their customer service calls out to India?


Apples and oranges to some extent. Companies that outsource to foreign countries often pay pennies on the dollar to what they would have to pay a US employee... so while I don't like the practice, I at least understand how they save money by doing it.



SayWhat? said:


> How can it be cheaper and easier for corporations to hire an outside firm to process their payroll and other accounting operations?


Honestly... this falls into the same category. A lot of these companies have in-house Human Resources but just outsource the payroll... which seems odd. Other companies outsource the entirety of their HR dept which may make a little more sense...

But still, given that a company has to keep track of its employees anyway... I have wondered what they gain by outsourcing payroll.



SayWhat? said:


> Instead of paying someone $25/hr or more to do something, you outsource to another company or country who can/will do it for $5/hr.


When you can save money... I get it...

But sending emails isn't rocket science.

Once a Web script for subscribing/unsubscribing is written... then it's done. It can be part of their Web site (and usually is anyway) that they don't touch except for the initial implementation.

Then a lot of the rest of the process is automated once they generate the mass-email and send it to the distribution list...

They just need someone part-time to monitor for rejected/bounced emails or customer inquiries... and just about any employee could do that. They could even rotate different employees into the role to cover those responsibilities as needed.

And of course... there wouldn't be one-stop-shopping for hackers anymore if each company kept the info in-house... there would be no central Epsilon database to hack for customers of multiple companies.


----------

