Hacker News new | comments | show | ask | jobs | submit login
1.9M Bell customer email addresses stolen by 'anonymous hacker' (cbc.ca)
96 points by Preemo 193 days ago | hide | past | web | favorite | 21 comments



Perhaps I have security breach fatigue, but I am somewhat fed up with the usual "emails stolen" headline. An address and a name are by definition publicly available records. You can steal them simply by walking down the street and taking down mailbox names (or requesting these records from the city hall).

Of course the fact that these names are Bell's customers gives someone one more bit of information, but again not necessarily private information. My name is on the doorbell buzzer in a densely populated area, which is also served by a single phone company. Once again, the information is kind of public by default.

Perhaps what we need is a more thorough discussion about boundaries between public and private activities. For example, shopping seems to fall into the gray zone between these ideas. I do not usually have the expectation of privacy when I shop. Should I then be surprised that my local mart shares my shopping details with third parties?

On the other end of the spectrum we hold onto truly private information like security tokens or private keys (both real and virtual) with much more zeal. Those we do not share with random strangers, much less large corporate entities. And when we do, as when I give my house keys to a cleaning company, we sign a legally binding agreement which mentions things like "bonds and insurance" against potential damages or breaches of security.

I am happy to accept either one of those realities, depending on the situation. But let's at least understand where we stand before the outrage.


>>Perhaps I have security breach fatigue, but I am somewhat fed up with the usual "emails stolen" headline. An address and a name are by definition publicly available records. You can steal them simply by walking down the street and taking down mailbox names (or requesting these records from the city hall).

I may be able to find out your email address, but that's not the same thing as knowing that you have an account on some specific website. If I know the latter, that opens you to phishing and social engineering attacks. I can send you highly targeted emails from a spoofed address and get you to click a link or open a file attachment and install malware on your system.


Exactly. We got a mail from our car insurance provider saying they did not receive payment and asked to send the payment to some random address. This could be social engineering or it could be genuine. We are careful so we will contact the company directly and not use the provided information. But I doubt most people are so prudent.


The issue is that Bell tried to keep customer information secure, but could not. Luckily it's low impact (in your opinion), but it could have been high impact information.

EDIT: another thing, it's Bell - an internet service provider who should have a higher standard in security. Not some email distribution list of a mom & pop shop where you willingly provided your email address (ie. made it publicly available).


The reason this is bad is because fresh email lists like this are used with common password lists to bruteforce logins to common sites. With 1.9 million valid emails, odds are some have used insercured passwords on some sites.

Because of this, emails are private information. If you are not posting it publicly, you will only be sharing it with friends and trusted companies. All of which should keep it secret and never have them leaked.


No. Stop. An email address is not a publicly available record.

And I have no idea how on earth you could think it would be.


>No. Stop. An email address is not a publicly available record.

Sure it is. it's given out extensively for individuals to contact you. Same as a phone number used to be published in a phone book. Same as we publish public keys and same as your username here is public.

It is by definition, something that is shared to the public for public use... as opposed to a secret like a passphrase or private key.


I disagree with your premise, but even if the email address itself were a public record, the connection of the email address to the service that has been breached is not public.

This is obvious in cases like the Ashley Madison leak.


Yes, it is given out to individuals and corporations voluntarily by me. Normally noone have the means to find out what email address I have without asking me. Hence it is NOT a public record.

A phone number can be unlisted (the term differs between different countries) - which is not the same as being "hidden/private" it just means that it isn't a publicly available record and not listed in phone books.

How can this be a foreign concept?


And if you only give an email address to a single company to open an account with them? Is that public too? Not everyone has a single email address they give to anyone who asks for it.

There's "public" as in you're not the only person who knows it (not secret) and there's "public" as in it is freely available to anyone who wants it without any interaction with you personally.


Yeah, I wish. I've done >50 FOIA requests for email communications' metadata across the US and one of the more common rejection reasons is specifically that email addresses are NOT public records. Sure, the domain name is, but that's about it.


Original posting:

https://pastebin.com/zHffB8rA

This contains a bit more data than they were suggesting and a tar file for a .mozilla directory, possibly containing some saved passwords?

It appears to include b1* usernames and maybe passwords (Used for Bell PPPoE credentials), might be enough to steal someone's bandwidth or make it look like someone else downloaded something rather illegal.


Bell says they were stolen by a hacker, I say they were lost because of negligence.


To see if you've been affected, use haveibeenpwned! It seems that I have.


Not being facetious: what is the worst that can be done with stolen email addresses? Spam?


Targeted phishing. After all you know that all of these people are Bell customers and some of them will have used email addresses they haven't used anywhere else, so they will expect emails from Bell and might not expect phishing to these email addresses.


Correlate them with other dumped email/passwords lists and try to log in and find other info to eventually scam/phish/fraud people?


Kinda funny the 'relevant ads' program was worse in my opinion. http://www.cbc.ca/news/canada/windsor/bell-faces-750m-lawsui...


Phishing is a start.


I'm not sure if it is the worst, but one issue is bruteforcing valid premium logins on sites.


Paste them in website popups that ask for email addresses to be put on a subscription list.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: