
1.9M Bell customer email addresses stolen by 'anonymous hacker' - Preemo
http://www.cbc.ca/beta/news/technology/bell-data-breach-customer-names-phone-numbers-emails-leak-1.4116608
======
soyiuz
Perhaps I have security breach fatigue, but I am somewhat fed up with the
usual "emails stolen" headline. An address and a name are by definition
publicly available records. You can steal them simply by walking down the
street and taking down mailbox names (or requesting these records from the
city hall).

Of course the fact that these names are Bell's customers gives someone one
more bit of information, but again not necessarily private information. My
name is on the doorbell buzzer in a densely populated area, which is also
served by a single phone company. Once again, the information is kind of
public by default.

Perhaps what we need is a more thorough discussion about boundaries between
public and private activities. For example, shopping seems to fall into the
gray zone between these ideas. I do not usually have the expectation of
privacy when I shop. Should I then be surprised that my local mart shares my
shopping details with third parties?

On the other end of the spectrum we hold onto truly private information like
security tokens or private keys (both real and virtual) with much more zeal.
Those we do not share with random strangers, much less large corporate
entities. And when we do, as when I give my house keys to a cleaning company,
we sign a legally binding agreement which mentions things like "bonds and
insurance" against potential damages or breaches of security.

I am happy to accept either one of those realities, depending on the
situation. But let's at least understand where we stand before the outrage.

~~~
enraged_camel
>>Perhaps I have security breach fatigue, but I am somewhat fed up with the
usual "emails stolen" headline. An address and a name are by definition
publicly available records. You can steal them simply by walking down the
street and taking down mailbox names (or requesting these records from the
city hall).

I may be able to find out your email address, but that's not the same thing as
knowing that you have an account on some specific website. If I know the
latter, that opens you to phishing and social engineering attacks. I can send
you highly targeted emails from a spoofed address and get you to click a link
or open a file attachment and install malware on your system.

~~~
turnip1979
Exactly. We got a mail from our car insurance provider saying they did not
receive payment and asked to send the payment to some random address. This
could be social engineering or it could be genuine. We are careful so we will
contact the company directly and not use the provided information. But I doubt
most people are so prudent.

------
problems
Original posting:

[https://pastebin.com/zHffB8rA](https://pastebin.com/zHffB8rA)

This contains a bit more data than they were suggesting and a tar file for a
.mozilla directory, possibly containing some saved passwords?

It appears to include b1* usernames and maybe passwords (Used for Bell PPPoE
credentials), might be enough to steal someone's bandwidth or make it look
like someone else downloaded something rather illegal.

------
criddell
Bell says they were stolen by a hacker, I say they were lost because of
negligence.

------
NationLider
To see if you've been affected, use haveibeenpwned! It seems that I have.

------
beex
Not being facetious: what is the worst that can be done with stolen email
addresses? Spam?

~~~
ar0
Targeted phishing. After all you know that all of these people are Bell
customers and some of them will have used email addresses they haven't used
anywhere else, so they will expect emails from Bell and might not expect
phishing to these email addresses.

