Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:28 PM
Connect Directly

Attackers Steal Major Retailers', Financial Firms' Customer Email Data

Breach at email marketing services firm Epsilon could open the door for widespread, ongoing phishing, targeted attacks

On the surface, the massive hack of email service provider Epsilon might seem relatively benign -- no credit card accounts, Social Security numbers, or source code were stolen, just millions of email addresses and, in some cases, full names. But security experts say the attack, which affects customers of major retailers and financial institutions, could reverberate for years to come with phishing, spamming, and targeted attacks against individuals and businesses.

Last Friday Epsilon revealed it had discovered on March 30 that some of its clients' customer information was exposed by a hack into its internal email system. "The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway," the company said in a statement on its website.

Since then, some of the biggest names in retail and banking have begun notifying their customers that their email information was exposed in the breach, and the list is staggering. At last count, there were some 38 companies and counting: 1-800-Flowers, AbeBooks (a division of Amazon), American Express, Ameriprise, AstraZeneca, Barclays Bank of Delaware, Benefit Cosmetics, Best Buy, Brookstone City Market, Capital One, Citi, The College Board, Dillons, Disney Destinations, Food 4 Less, Fred Meyer, Fry's, Hilton HHonors, Home Shopping Network, Jay C, JP Morgan Chase, King Soopers, Krogers, Lacoste, LL Bean VISA, Marriott Rewards, McKinsey Quarterly, New York & Company, QFC, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, Robert Half, Smith's, TiVo, US Bank, Verizon, and Walgreens, according to notices from some of these firms and industry sources.

More firms are expected to come forward as well. The emails and names of the victims stolen by the attackers ultimately have been, or will be, used to spam, phish, or socially engineer them for other more lucrative information, security experts say. In some cases, the customer email information included the customer's banking institution, giving the attackers even more detail to use in their spoofed messages.

"What's scary about this case in particular is that it's now easy to spoof Chase or Best Buy. If you gave your email to Best Buy, you're going to trust that the [phishing] email came from them," says HD Moore, CSO at Rapid7 and creator of Metasploit.

The stolen emails could be used for targeted attacks against corporations, using the stolen email account holders as a first step in an attack, he says. Aside from near-term phishing attacks, the email addresses could also be sold to spammers, Moore says.

What's unclear thus far is whether this latest attack is related to the attacks suffered by email marketing service providers Silverpop and ReturnPath late last year, when they were hacked and their clients' customer email databases, including McDonald's were exposed. At the time, Walgreens also announced its customer emails had been breached, but would not confirm whether the attack was via its email marketing provider.

But according to databreaches.net, Walgreens said the retailer had asked Epsilon to add more security after the late 2010 attacks that hit Silverpop as well. "Apparently, that expectation was not fully met," the spokesperson reportedly told databreaches.net, indicating that Epsilon may now be responding to a second attack.

Walgreens wouldn’t comment today beyond its official announcement: "Walgreens today announced Epsilon, a third-party vendor it uses to email promotional messages, reported an unauthorized access to its computer systems. Law enforcement authorities have been notified and are investigating the matter. Email addresses were the only information obtained in this incident."

Neil Schwartzman, a messaging industry consultant and executive director of The Coalition Against Unsolicited Commercial Email (CAUCE), who was formerly with email marketing services provider ReturnPath, notes that not all of these providers came forward publicly in the late 2010 breach. "We don't know the technical details of this breach," he says. "And we don't know if it's the same gang that hit back then or if they used the same method ... What is clear is that a significant portion of Epsilon's clients were compromised, including seven financial institutions."

The breach at Epsilon is big because it sets up phishers to conduct real-looking attacks that could ultimately also steal more sensitive and lucrative information. "What they have in hand is names, email addresses, and who people bank with. That sets things up perfectly for spearphishing attacks," Schwartzman says.

Such an attack could go like this, he says: "'Dear Neil, You know about our recent breach we wrote to you about. Please go to our database and confirm your [personal account] information. Signed, Visa.'

"This is a real problem," he says.

Dennis Dayman, a MAAWG Board member and chief privacy and deliverability officer at Eloqua, says an attacker could conceivably have emails from 10 different brands that a user normally would trust via email. "Now it has 10 different brands that could be used against you, to get information about you and your personal life," says Dayman, who says he sees the fallout lasting for two, five, or more years down the road.

What should consumers whose emails have been exposed do? Besides being wary of emails from these brands, you could take a more extreme measure and change your email address. "Change your email address. That's the only way you're going to be able [to protect yourself]," Schwartzman says. "It's incredibly depressing to have to say that."

Meanwhile, email service providers will continue to be a valuable target. Expect more attacks on these companies, experts say. "Their intellectual property is their email addresses," says Marcus Carey, community manager for Rapid7. That information then can be used to target corporate users and, in turn, their employers, he says.

And just how long attackers had possession of the emails and if they already had been using them in phishing emails is unclear, he says. "There was a window where some attackers could have been using that information," Carey says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...