Massive Security Breach Leaks 'Millions' of Email Addresses

An unspecified number of email users may be indirect victims of a recent data breach at a major marketing company.

The breach was at Epsilon, which operates online mailing lists for many major companies, including seven of the ten largest firms in America.

It's rumored that "millions" of email addresses may have been compromised in the attack. (Source: forbes.com) The data theft means users should be on high alert for so-called email "phishing" attempts.

Massive Data Breach a Gold Harvest for Online Scammers

Epsilon says the breach involved the data relating to 2 per cent of its clients. It's not clear if that proportion is by number of users or simply the number of firms; if it's the latter, than around 50 companies will be affected.

Those that have already confirmed their lists were involved include 1-800-Flowers, Barclays, Best Buy, Home Shopping Network, LL Bean, Marriot, Ritz Carlton, TiVo and US Bancorp. (Source: epsilon.com)

The good news is that the hackers didn't get any particularly sensitive data, such as account numbers, passwords or card details. Instead, they were only able to access lists of emails accompanied by the customer's name.

Access to Email, Real Names Means Real Threat

Were it just email addresses, the main risk would be an increase in spam. Spammers will pay high fees for email addresses known to be genuine and in-use. However, with the names also available, the attention will likely turn to phishing.

Phishing involves attempting to trick users into believing a scam email is from a legitimate source, such as an online bank or retailer, and then getting the users to hand over sensitive data.

By using real names, the scammers can produce messages a little more credible-looking and less like automated scams.

Customers Warned: Steer Clear of Suspicious Links

As a result of the breach, many of the sites involved have contacted customers and reminded them that they would never ask for personal details via email.

Security advisors have encouraged users to never follow a link in a message asking for such information.

It's also important to note that while the sites are sending out such warnings, they are not asking users to change log-in details. Any message along those lines is likely itself a scam that's designed to get hold of such details. (Source: go.com)