http://www.salonmagazine.com/21st/?st.ne.fd.mnaw Password spamming: The latest Web marketing trick When Web companies make deals, sometimes more than cash changes hands. - - - - - - - - - - - - - - - - - - - - - BY ANDREW LEONARD | Normally, I delete spam almost before I read it. But the unsolicited e-mail message that I got Monday morning from "theglobe.com" froze my index finger over the delete key right in its tracks. This particular spam, announcing that I now had a "FREE VIP Membership to theglobe.com ... your friendly full-service integrated online community," included my username -- and a password that I regularly use on other sites, like the New York Times and the Wall Street Journal. I had never visited theglobe.com, one of the handful of companies attempting to strike it rich by offering free home pages to the general Web-going public. But they had somehow gotten their paws on my password. By their own admission, theglobe.com had screwed up. Vance Huntley, the chief technical officer for theglobe.com, has a reasonable explanation for how the "glitch" occurred as part of a deal with Advertising Age Interactive -- a site I'd registered for nearly three years ago. But even if this incident was an unintentional blunder, it should send a loud warning through cyberspace: In an era of frenzied consolidation and spaghetti-like cross-marketing deals, private passwords are less secret by the day. What happened? According to Huntley, theglobe.com had been providing Ad Age Interactive with "interaction services" on the Ad Age site, including a chat room interface and other functions. As part of a recently concluded deal between theglobe.com and Ad Age, Ad Age apparently requested that its subscriber base be registered en masse at theglobe.com, so that each user wouldn't have to re-register to enjoy the perquisites of theglobe.com membership. (Advertising Age representatives had not answered phone messages and e-mail by our deadline.) Normally, says Huntley, every time new users come to theglobe.com and register, they receive immediate e-mail notification that includes their new username and password. This is standard practice for many Web sites that require registration. In this case, however, the mass registration of Ad Age subscribers -- which occurred without the knowledge or express permission of those subscribers -- triggered off a bulk e-mailing to "thousands" of users, who had no idea their passwords had been passed from one company to another. "As part of our arrangement, when an Ad Age user came to theglobe.com, they wouldn't need to provide their information again," says Huntley. "At least that was all in the plan. What I would assume is that Ad Age did not ask for the bulk mailing." "The really annoying part of this from my perspective is that the members of Ad Age tend to be a fairly technically savvy crowd," says Huntley. "We've been getting all kinds of interesting commentary." Huntley said that he'd received about half a dozen calls about the password spam on Monday. And he sympathizes with their concerns. "I hate getting unsolicited mail of any kind," says Huntley, "and it has always been our policy to say, hey, you're getting this mail because you typed your e-mail address into our Web site. This was an editorial oversight, but it has had bad repercussions. I think that it would have made a lot more sense to indicate to users what was going on. But alas, the mail has gone out." "What we highlighted here is that we are not as sophisticated about it as other operations might be," says Huntley. "Had this been the 20th time we'd done this, perhaps there would be standard operating procedure to deal with this eventuality. This is the first time we've had anyone call and complain about this kind of issue. I think there are other folks doing it a lot more and that they have procedures in place to deal with it." And there's the real problem. How often is this kind of mass re-registration of subscribers going on in the Web world? In the offline universe, mailing lists get bought and sold with increasing frequency. But private passwords? Is such user information being traded between companies -- and how often is it being used? Just think of one potentially disturbing possibility: Microsoft recently bought Firefly, the owners of a database far larger and more detailed than Advertising Age's. Microsoft now has access to all Firefly user preferences, not to mention their passwords. Of course, Microsoft is probably smart enough not to send a bulk e-mailing to all those users that included their passwords printed in plain text. And they shouldn't. On the other hand, at least such blunders let us know what companies are up to with our information. Do you know where your password is tonight? SALON | June 2, 1998 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:06 PDT