I can haz ur email list

By Mike Rothman

We are a full disclosure shop here at Securosis. That means you get to see the good, the bad, and yes, the ugly too. We’ve been pretty up front about saying it was just a matter of time before our stuff got hacked. In fact, you can check out the last comment from this 2007 post, where Rich basically says so. Not that we are a high profile target or anything, but it happens to everyone at some point or another.

Going up? Going down? Yes.And this week was our time. Sort of. You see, we are a small business like many of you. So we try to leverage this cloud thing and managed services where appropriate. It’s just good business sense, given that many of these service providers can achieve economies of scale we could only dream about. But there are also risks in having somewhat sensitive information somewhere else. A small part of our email list was compromised, as a result of our service provider being hacked.

I got an email from a subscriber to the Incite mailing list on Monday night, letting me know he was getting spam messages to an address he only uses for our list. I did some initial checking around and couldn’t really find anything amiss. Then I got another yesterday (Wednesday) saying the same thing, so I sent off a message to our email service provider asking what was up. It seems our email provider got compromised about 6 weeks ago. Yes, disclosure fail. Evidently they only announced this via their blog.

It’s surprising to me that it took the bad guys 6 weeks to start banging away at the list, but nonetheless it happened and proves that one of our lists has been harvested. There isn’t anything we can do about it at this point except apologize. For those of you who share your email addresses with us, we are very sorry if you ended up on a spam list.

And that’s one of the core issues of this cloud stuff. You are trusting your sensitive corporate data to other folks, and sometimes they get hacked. All you can do is ask the questions (hopefully ahead of time) to ensure your information is protected by the service provider, but at the end of the day this happens.

We are on the hook for violating the trust of our community, and we take that seriously. So once again all of us at Securosis apologize.

No Related Posts

Excellent chance to drive that point home about data being in someone else’s hands.

Seems there are 3 different types of disclosures…

- the non-disclosure
- the disclosure with as much vagueness as possible
- the full details on how and what (yummy!)

I wish they had made their disclosure part of the latter, mostly only because as someone who knows security, it might be a great chance for them to actually impress me.

Instead, they make a vague announcement, which is common. Also common: the lack of key words like disclos*, breach, hack*... While a post like this will eventually get buried, no potential customers are going to be able to do a quick search to see if they’ve been breached in the past…

...Not that I think many people make those searches…

By LonerVamp

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.