Email Leakage

Whenever I do business online I tend to create a new email address for each company I do business with.  Late last week I received a spam email at the address I used when signing up for the online account access feature that Cingular offers.  I rechecked all the account settings as well as their privacy policy and determined that their policy is not to share email addresses with any outside agencies.  Further, I know that the email address that I used has not ever been used for any other purpose (i.e. I’ve never sent anything using it, since I’d have to reconfigure my email client to do so).

The spam was for some kind of cruise website and came from, which isn’t affiliated with Cingular in any way.  This is actually more alarming than if they’d just sold the email, since it could indicate a breach in their security.  It’s possible that they sold my address, but it seems unlikely since that specifically violates their stated privacy policy.  It’s not that I have that much trust in Cingular, it’s that from what I’ve seen they seem to handle everything in-house when it comes to email advertising.  I also confirmed this when I called customer service to complain to them about the spam. 

If they didn’t sell my address, then it means that either someone explicitly broke into one of their systems and stole the addresses or that one of their systems was otherwise compromised and the addresses were harvested (i.e. through a worm).  The worm scenario is more likely than you might think, given that most of the worms we’ve seen lately have been created by spammers to send spam.  It doesn’t seem like that much of a leap for them to use the worms to harvest emails.  Alternately, it could just be that a mass-mailing worm harvested addresses from an infected system at Cingular and sent out emails to a spammer who took the addresses from them.

Regardless, I know that I never initiated any action that would have resulted in receiving this email.  I know that I opted out of all marketing emails when signing up for the Cingular account.  I know that the email address that I used is not subject to being easily guessable (i.e. it wasn’t a common name, it wasn’t just the company’s name, and it contained an underscore).  I know that none of my systems has been infected by a worm (I run weekly virus scans, use LiveUpdate, have the feature enabled to scan each email that is received, and don’t use any of the Microsoft email clients).  Somehow, either intentionally or though negligence, my email address was leaked by Cingular and picked up by the spamming bastards at 

The Cingular customer service rep opened a ticket with their IT support to report the problem, and he said he’d let me know the outcome.  I guess I’ll just wait and see if they turn up anything, although I don’t expect much.  If Cingular was compromised, it would not be in their interest to admit it.


  1. Ted says:

    I can think of two other possible (maybe not probable) reasons for the spam.  Your newly chosen address had a previous life or it was randomly generated by a program.  I understand your point, but you can’t *guarantee* that you know how it happened.
    p.s. I think it is rather ironic that your own comment posting page considers the email address field as required!

  2. Ted,

    I know for a 100% certainty that the email address did not have a previous life because I own two domains.  I created a new email address on one of my domains for this specific account and it was not randomly generated.  In fact, it was something like “cingular_account -at- oneofmydomains”.  Since I’ve owned the domain since 1999, and the domain is based on my name, and I’m pretty certain that the domain was never previously used, that makes it highly improbable that the email address was previously used.  In fact, it should be noted that Cingular didn’t exist at the time I obtained the domain.

    As to knowing how the email was leaked, I never professed 100% certainty to know how it got out.  That part was certainly speculation (or if I was in Cingular’s IT department, those would be the places I’d start).

    Also, I don’t see how it’s ironic to require an email address to post comments to my site (although I don’t currently require that it be a valid address).  It allows for offline communication if a comment goes beyond the bounds of common decency or seems to require a private response.  Of course, most of the people who do so don’t leave valid email addresses, so perhaps the feature isn’t that useful.  However, if comment spams get to be too much of a problem it may become necessary to have a valid email.