Here’s yet another reminder that you should always have some “burner” email address accounts handy for interactions with e-commerce websites.
I’ve confirmed that shoppers at Saks Fifth Avenue who had asked the firm for notifications when sold-out items were available had their personal information exposed by the firm.
Some 80,000 email addresses and/or phone numbers were exposed, along with other personal nuggets—hints at where the victims worked, and what items they ordered, for example.
The data was shared with me last weekend by Bill Dedman at PowerReporting.com. It was visible to the public during much of the weekend, but appeared to be removed from public view by Sunday, March 19.
High-value information leaked
While the leak did not include payment information, a list of devoted Saks shoppers would be a useful tool for would-be hackers and ID thieves. Presumably, most would be high-net-worth individuals, and all of them would be waiting for an email from Saks with good news about a wanted item—ideal for a phishing scam.
The list also potentially could be embarrassing for some. There are 90 .gov emails listed, for example, suggesting government workers might be shopping while at work—or at least using taxpayer-supported computers for personal affairs.
NIH, IRS, USAID, NASA, and FERC domains were all spotted on the list. Several New York City school domains also were on the list. And at least one DHS email also was spotted, which raises the additional risk of compromising someone working in homeland security, then using that attack to gain other sensitive privileges.
SKUs for wait-listed items also were included, meaning someone could look up the dress, shoes or even lingerie that customers were hoping to buy from Saks.
Keep spare account for purchases
At a bare minimum, better digital hygiene (a spare Gmail account) would prevent such users from having potentially embarrassing conversations with their bosses.
For its part, Saks acknowledged the leak and said the problem that caused it has been fixed. It confirmed that the emails included customers who had signed up for “waiting list” notifications, and a few other less common circumstances. The firm’s general mailing list was not impacted.
“We take this matter seriously,” Saks said in a statement to me. “We want to reassure our customers that no credit, payment or password information was ever exposed. The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low, single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
It was unclear if Saks used a third-party firm to maintain the waiting list email databases; many retailers offer similar wait-list features.
No widespread fraud at this time
There is no indication people on the list have been victims of a fraud. It’s likely that the tool used to set up waiting list notifications was simply misconfigured and the discovery was made by a white-hat hacker, who passed it along to Dedman.
Still, Saks customers should use extra skepticism when opening emails for quite some time—from Saks, or from anyone else. It would be easy to construct a very tempting email that said, “Caitlin: The dress you wanted is now in stock! We could call you at 646 -XXX-XXX or simply click here to order.”
And everyone reading this story should have a free, spare email address that they use for such interactions with e-commerce firms—an address that wouldn’t put you at great risk if it were hacked some day, or overrun with spam.
This article originally appeared on Thirdcertainty.com and was written by Bob Sullivan.