[ISN] Password Spamming: Latest Web Marketing Trick

From: mea culpa (jerichoat_private)
Date: Tue Jun 02 1998 - 07:52:19 PDT

  • Next message: mea culpa: "Re: [ISN] New Decoy Technology Designed To Sting Hackers"

    Password spamming:
    The latest Web marketing trick
    When Web companies make deals, sometimes more
    than cash changes hands.
    - - - - - - - - - - - - - - - - - - - - -
    BY ANDREW LEONARD | Normally, I delete spam almost before I read it. But
    the unsolicited e-mail message that I got Monday morning from
    "theglobe.com" froze my index finger over the delete key right in its
    tracks. This particular spam, announcing that I now had a "FREE VIP
    Membership to theglobe.com ... your friendly full-service integrated
    online community," included my username -- and a password that I regularly
    use on other sites, like the New York Times and the Wall Street Journal. 
    I had never visited theglobe.com, one of the handful of companies
    attempting to strike it rich by offering free home pages to the general
    Web-going public. But they had somehow gotten their paws on my password. 
    By their own admission, theglobe.com had screwed up. Vance Huntley, the
    chief technical officer for theglobe.com, has a reasonable explanation for
    how the "glitch"  occurred as part of a deal with Advertising Age
    Interactive -- a site I'd registered for nearly three years ago. But even
    if this incident was an unintentional blunder, it should send a loud
    warning through cyberspace: In an era of frenzied consolidation and
    spaghetti-like cross-marketing deals, private passwords are less secret by
    the day. 
    What happened? According to Huntley, theglobe.com had been providing Ad
    Age Interactive with "interaction services" on the Ad Age site, including
    a chat room interface and other functions. As part of a recently concluded
    deal between theglobe.com and Ad Age, Ad Age apparently requested that its
    subscriber base be registered en masse at theglobe.com, so that each user
    wouldn't have to re-register to enjoy the perquisites of theglobe.com
    membership. (Advertising Age representatives had not answered phone
    messages and e-mail by our deadline.) 
    Normally, says Huntley, every time new users come to theglobe.com and
    register, they receive immediate e-mail notification that includes their
    new username and password.  This is standard practice for many Web sites
    that require registration. In this case, however, the mass registration of
    Ad Age subscribers -- which occurred without the knowledge or express
    permission of those subscribers -- triggered off a bulk e-mailing to
    "thousands" of users, who had no idea their passwords had been passed from
    one company to another. 
    "As part of our arrangement, when an Ad Age user came to theglobe.com,
    they wouldn't need to provide their information again," says Huntley. "At
    least that was all in the plan.  What I would assume is that Ad Age did
    not ask for the bulk mailing." 
    "The really annoying part of this from my perspective is that the members
    of Ad Age tend to be a fairly technically savvy crowd,"  says Huntley.
    "We've been getting all kinds of interesting commentary." 
    Huntley said that he'd received about half a dozen calls about the
    password spam on Monday. And he sympathizes with their concerns. 
    "I hate getting unsolicited mail of any kind," says Huntley, "and it has
    always been our policy to say, hey, you're getting this mail because you
    typed your e-mail address into our Web site. This was an editorial
    oversight, but it has had bad repercussions.  I think that it would have
    made a lot more sense to indicate to users what was going on.  But alas,
    the mail has gone out." 
    "What we highlighted here is that we are not as sophisticated about it as
    other operations might be," says Huntley. "Had this been the 20th time
    we'd done this, perhaps there would be standard operating procedure to
    deal with this eventuality. This is the first time we've had anyone call
    and complain about this kind of issue. I think there are other folks doing
    it a lot more and that they have procedures in place to deal with it." 
    And there's the real problem. How often is this kind of mass
    re-registration of subscribers going on in the Web world? In the offline
    universe, mailing lists get bought and sold with increasing frequency. But
    private passwords? Is such user information being traded between companies
    -- and how often is it being used? Just think of one potentially
    disturbing possibility: Microsoft recently bought Firefly, the owners of a
    database far larger and more detailed than Advertising Age's. Microsoft
    now has access to all Firefly user preferences, not to mention their
    Of course, Microsoft is probably smart enough not to send a bulk e-mailing
    to all those users that included their passwords printed in plain text.
    And they shouldn't. On the other hand, at least such blunders let us know
    what companies are up to with our information. Do you know where your
    password is tonight? 
    SALON | June 2, 1998
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:06 PDT