Technology

Newegg Hacked?

09/01/08

08:46:15 pm, by me, 2208 words, 1466 views

Categories: Technology

Newegg Hacked?

UPDATE 2 9/4/08:
Got a copy and pasted brush-off letter from the Newegg support person. My reply went to the sender as well as to a couple of other Newegg email addresses I have stashed. Brush-off reproduced in full:

Dear Customer,

Thank you for contacting Newegg.

We are aware that there is always some room for improvement, which is why we value your thoughts. Rest assured that your feedback will receive the attention it deserves and Newegg will continue striving to offer high quality products at low, affordable prices and only the finest in customer service. Please allow us more time to process your issue. Our related department will write back to you directly for this issue once they finish processing it.

If you have any further questions or concerns, please visit our FAQs page. If you still need assistance, please feel free to email me directly and I will be happy to assist you.

Thank you,

Ruby Luo

UPDATE 9/4/08:
Finally got a reply of sorts from Newegg. Not sure how to parse the key portions, as the English is broken in exactly the wrong part:

Reference number: {redacted} Please use this ticket number in any correspondence with Newegg.com.

Subject: Newegg.com - >(Mail #{redacted})*

Dear Customer,

Thank you for contacting Newegg.

We apologize for any inconvenience this may have caused you. Due to the large volume of the emails. We should have not processed your email yet. We will not release the contact information to any other party. Please forward the entire email to us and we will do further investigation for it.

Thank you for your patience and understanding. If you have any further questions or concerns, please feel free to let us know.

Sincerely,

(Newegg Tech's Name)

UPDATE 9/2/08:
Still no reply from NewEgg, but hits on other fora suggest that I'm far from being the only person thus mistreated. So I used their customer contact link to inform them of such:

I emailed "abuse@newegg.com" over 24 hours ago, and didn't receive so much as a bot reply. Since nobody monitors that email address, I decided it was time to contact you here.

Your webform does not contain sufficient space for me to post specific details of my complaint. Fortunately, I posted a blog entry on the subject, which contains all the details you'll need. The short version is that some dickwad in your organization sold the email address I ONLY use for NewEgg purchases to a spammer calling himself "*******.com" Anyhow, here's the URL:
http://www.taupehat.com/index.php/tech/2008/09/01/newegg_hacked

Put it on Digg, of course:
http://digg.com/security/Newegg_Hacked

And apparently I'm not at all the only one who one of your employees whored out to a spammer:
http://tinyurl.com/newegg-hacked

In short, you guys have a problem. Ignoring it, or blaming the messenger, will only make it much, much worse. I expect a reply tomorrow.

The following is an email I am sending to the newegg abuse team. Will report how they reply if/when it happens. For the record, I really like newegg.com, and it sucks that this has happened to them. However, I've found that posts like this one seem to work better at getting an actual human to reply. Some abuse desks are pretty bad about doing their job.

Oh, and I'm also munging the spamvertized domain to avoid giving the pricks any free advertising. Assholes. Needless to say, I never authorized Newegg to give my email address out to anybody, and have never done business with the spammer, nor will I.

Dear abuse team,

The following email was sent to an address which I have ONLY ever used to do business with newegg.com. As the sole user of taupehat.com, I wildcard the address and use that method to see who spams me.

In this instance, I'm pretty sure newegg.com had no direct involvement in the spam run, but I am positive that your company had indirect involvement, as the spam run was targeted at tech users, and used my newegg-only email address as its target.

IN OTHER WORDS, YOU HAVE A LEAK. SOMEONE SOLD MY ADDRESS (AND WHO KNOWS HOW MANY OTHERS) TO A SPAMMER.
[More:]

Find him, kill him. Do it slowly, and video the event for all to see. Or (perhaps more realistically) at least shitcan the guy and consult law enforcement to see if you can get him a new pair of locking bracelets.

Cheers,
Mike

OK, here's the full headers and source of the spam. Any questions, you know how to reach me. In fact, I rather insist that an actual human being does contact me via this address. To ensure that this does happen, I'm posting the entire contents of this email on my website at www.taupehat.com and will be more than happy to post your reply.

*****************SPAM STARTS BELOW THIS LINE*****************
Return-Path: unsubscribe@*******.com
X-Original-To: ***@taupehat.com
Delivered-To: **@taupehat.com
X-Greylist: delayed 81 seconds by postgrey-1.31 at taupehat.com; Mon, 01 Sep 2008 18:57:46 PDT
Received: from *******.com (65-60-**-**.static-ip.telepacific.net [65.60.**.**])
by taupehat.com (Postfix) with ESMTP id **********
for ***@taupehat.com; Mon, 1 Sep 2008 18:57:46 -0700 (PDT)
Received: from *******-1 ([65.60.**.*]) by *******.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 1 Sep 2008 18:56:04 -0700
From: ******* Newsnews@*******.com
To: ***@taupehat.com
Message-Id: 20080901185549.5943703@*******.com
Subject: ******* - One Stop Shop Storage Solution Provider
Date: Mon, 1 Sep 2008 18:55:49 -0700
MIME-Version: 1.0
Reply-To: news_reply@*******.com
Content-Type: multipart/alternative; boundary="AlternativeBoundary.22222222.22222222"
X-OriginalArrivalTime: 02 Sep 2008 01:56:04.0271 (UTC) FILETIME=[********:********]

--AlternativeBoundary.22222222.22222222
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

--AlternativeBoundary.22222222.22222222
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

HEAD

/HEAD
BODY
TABLE cellSpacing=0 cellPadding=0 width=1024 border=0
TBODY
TR
TDIMG height=1 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=116 border=0/TD
TDIMG height=1 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=358 border=0/TD

TDIMG height=1 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=67 border=0/TD
TDIMG height=1 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=381 border=0/TD
TDIMG height=1 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=102 border=0/TD
TDIMG height=1 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD colSpan=5A href="http://www.*******.com/"IMG id=newsletter_demo_01_v3_r1_c1 height=125 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r1_c1.jpg" width=1024 border=0 name=newsletter_demo_01_v3_r1_c1/A/TD

TDIMG height=125 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD colSpan=5A href="http://www.*******.com/"IMG id=newsletter_demo_01_v3_r14_c1 height=267 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r14_c1.jpg" width=1024 border=0 name=newsletter_demo_01_v3_r14_c1/A/TD
TDIMG height=267 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD colSpan=5IMG id=newsletter_demo_01_v3_r2_c1 height=63 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r2_c1.jpg" width=1024 border=0 name=newsletter_demo_01_v3_r2_c1/TD

TDIMG height=63 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD rowSpan=11IMG id=newsletter_demo_01_v3_r3_c1 height=829 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r3_c1.jpg" width=116 border=0 name=newsletter_demo_01_v3_r3_c1/TD
TDA href="http://www.*****.com/"IMG id=newsletter_demo_01_v3_r3_c2 height=116 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r3_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r3_c2/A/TD
TD rowSpan=11IMG id=newsletter_demo_01_v3_r3_c3 height=829 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r3_c3.jpg" width=67 border=0 name=newsletter_demo_01_v3_r3_c3/TD
TDA href="http://www.********.com/"IMG id=newsletter_demo_01_v3_r3_c4 height=116 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r3_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r3_c4/A/TD

TD rowSpan=11IMG id=newsletter_demo_01_v3_r3_c5 height=829 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r3_c5.jpg" width=102 border=0 name=newsletter_demo_01_v3_r3_c5/TD
TDIMG height=116 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TDIMG id=newsletter_demo_01_v3_r4_c2 height=85 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r4_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r4_c2/TD
TD rowSpan=2IMG id=newsletter_demo_01_v3_r4_c4 height=98 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r4_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r4_c4/TD
TDIMG height=85 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR

TR
TD rowSpan=2A href="http://www.*******.com.tw/"IMG id=newsletter_demo_01_v3_r5_c2 height=123 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r5_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r5_c2/A/TD
TDIMG height=13 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TDA href="http://www.*****.com.tw/"IMG id=newsletter_demo_01_v3_r6_c4 height=110 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r6_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r6_c4/A/TD
TDIMG height=110 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR

TR
TDIMG id=newsletter_demo_01_v3_r7_c2 height=83 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r7_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r7_c2/TD
TD rowSpan=2IMG id=newsletter_demo_01_v3_r7_c4 height=93 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r7_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r7_c4/TD
TDIMG height=83 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD rowSpan=2A href="http://www.******.com/"IMG id=newsletter_demo_01_v3_r8_c2 height=126 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r8_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r8_c2/A/TD

TDIMG height=10 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TDA href="http://www.*************.com/"IMG id=newsletter_demo_01_v3_r9_c4 height=116 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r9_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r9_c4/A/TD
TDIMG height=116 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD rowSpan=2IMG id=newsletter_demo_01_v3_r10_c2 height=76 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r10_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r10_c2/TD

TDIMG id=newsletter_demo_01_v3_r10_c4 height=64 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r10_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r10_c4/TD
TDIMG height=64 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD rowSpan=2A href="http://www.******.com/"IMG id=newsletter_demo_01_v3_r11_c4 height=138 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r11_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r11_c4/A/TD
TDIMG height=12 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR

TR
TDA href="http://www.********.com/"IMG id=newsletter_demo_01_v3_r12_c2 height=126 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r12_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r12_c2/A/TD
TDIMG height=126 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TDIMG id=newsletter_demo_01_v3_r13_c2 height=94 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r13_c2.jpg" width=358 border=0 name=newsletter_demo_01_v3_r13_c2/TD
TDIMG id=newsletter_demo_01_v3_r13_c4 height=94 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r13_c4.jpg" width=381 border=0 name=newsletter_demo_01_v3_r13_c4/TD

TDIMG height=94 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD colSpan=5IMG id=newsletter_demo_01_v3_r15_c1 height=362 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r15_c1.jpg" width=1024 border=0 name=newsletter_demo_01_v3_r15_c1/TD
TDIMG height=362 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR
TR
TD colSpan=5A href="http://www.*******.com/"IMG id=newsletter_demo_01_v3_r16_c1 height=54 alt=www.*******.com src="http://www.*******.com/images/news_letter/2008/08002/newsletter_demo_01_v3_r16_c1.jpg" width=1024 border=0 name=newsletter_demo_01_v3_r16_c1/A/TD

TDIMG height=54 alt="" src="http://www.*******.com/images/news_letter/2008/08002/spacer.gif" width=1 border=0/TD/TR/TBODY/TABLESTRONGFONT color=#ff0000To unsubscribe, please/FONT/STRONG a href="mailto:unsubscribe@*******.com?Subject=Unsubscribe-{hash value}"click here/a./BODY
--AlternativeBoundary.22222222.22222222--

Permalink 9 comments

Comments, Pingbacks:

Comment from: Adam [Visitor]

Newegg leaked my info to B*yst*r too. Both companies are right off of Azusa Ave in City of Industry; you could probably walk from one to the other. So I think maybe they are affiliated and this was not an accidental leak. Newegg used to be a great supplier but they all decline eventually.

Permalink 09/20/08 @ 14:12

Comment from: clara [Visitor]

Me too.

I'd assumed another estore leaked it becasue it was right after a storage purchase on another site. However, I buy from Newegg pretty consistently, so it could well be them.

I found this with google trying to figure out who the $*% these Buystor people are.

Permalink 10/01/08 @ 20:47

Comment from: Doug [Visitor]

Atrocious. I hate companies like this. How could they be experienced technology professionals and not realize that people will post complaints and be picked up by search engines?

Permalink 10/02/08 @ 09:35

Comment from: Paul [Visitor] · http://www.eggxpert.com

Greetings All,

My name is Paul and I am a forum administrator for Newegg's community website, EggXpert.com.

I would like to let you know that Newegg is aware of the spam and/or phishing emails that have been sent to some of our customers on behalf of "buystor.com". We have received multiple emails from concerned parties regarding these incidents, especially from customers who use unique email addresses that are only registered to Newegg.com. These emails, and the website buystor.com, are in no way affiliated with Newegg or any of its subsidiaries.

We have investigated these reports, and I am happy to inform you that we have found no evidence of leaked or stolen personal information or email addresses.

We take our Privacy Policy very seriously, and we do not sell, rent or distribute customer information or email addresses to any third party. You can access our full privacy policy via this link:
http://www.newegg.com/HelpInfo/PrivacySecurity.aspx

Though we cannot provide a definitive answer to how these emails were sent, all indications point toward email-botting practices that massively distribute spam to randomly generated email addresses.
We will continue to monitor this situation and take all action possible against those responsible.

Thank you very much for your time and patronage!

Kindest Regards,
Paul

I can be contacted on EggXpert.com, aka wyldstallyn.

Permalink 10/07/08 @ 10:59

Comment from: me [Member]

Paul,

Thank you for taking the time to reach out on this matter. Please understand that I never felt that Newegg was distributing your customer email addresses as a matter of policy, rather that someone within your organization was selling them under the table or that you had been compromised in some other way. I understand that the position that you're taking is that somehow these addresses were harvested via some bot or malware, and that certainly makes sense to me. Allow me to suggest that the bot was within your organization: the address that was attacked in my case was not random, nor do my mail server logs indicate any mass spam-run attempt at random addresses, but instead a very targeted email send, from an apparently properly-configured email server, coming out of IP space in ChinaCache's US holdings. Since I wildcard my domain to my inbox, a massive spamrun attack would have resulted in many more emails than the ones sent to my newegg-only alias.

I am gratified to know that Newegg has investigated this ongoing issue and that you believe that nobody was intentionally leaking this data. However, for the reasons given above, I am certain within any reasonable degree practical that the origin still lies within your organization. My suggestion would be that perhaps your botting suggestion is accurate, and a computer within Newegg has in fact been picked off by some sort of malware (or spear-phishing), and this is the source of the problem. It happens.

For what it's worth, I'd gladly point the finger at my own systems, except that many other people are complaining of exactly the same problem: Newegg-only aliases being attacked specifically. Also probably worth bringing up that I don't run Windows anywhere, so the chances that some bot author is going to write a cross-platform attack against my systems directly so he can spam me with storage solution crap approaches nil.

Again, I do appreciate your time and concern, and wish you the very best in tracking down the root cause of your problem there. Incidentally, if it's true that this organization is just down the street from you, why not have your lawyers talk to their lawyers?

Permalink 10/07/08 @ 11:16

Comment from: Paul [Visitor] · http://www.eggxpert.com

It's funny that you mentioned lawyers, as I have just recently been in contact with ours!
With this in mind, I would like to provide this clarification of my previous response in order to more accurately reflect the status of Newegg's ongoing investigation.

"Greetings All,

My name is Paul and I am a forum administrator for Newegg's community website, EggXpert.com.

I would like to let you know that Newegg is aware of the spam and/or phishing emails that have been sent to some of our customers on behalf of "buystor.com". We have received multiple emails from concerned parties regarding these incidents, especially from customers who use unique email addresses that are only registered to Newegg.com. These spam and/or phishing emails, and the website buystor.com, are in no way affiliated with Newegg or any of its subsidiaries.

We have investigated these reports, and I am happy to inform you that we have found no evidence of leaked or stolen personal information or email addresses from our system.

We take our Privacy Policy very seriously, and we do not sell, rent or distribute customer information or email addresses to any third party. You can access our full privacy policy via this link:
http://www.newegg.com/HelpInfo/PrivacySecurity.aspx

Though we cannot provide a definitive answer to how these emails were sent, we will continue to monitor this situation and take all action possible against those responsible.

Thank you very much for your time and patronage!

Kindest Regards,
Paul

I can be contacted on EggXpert.com, aka wyldstallyn"

Permalink 10/07/08 @ 15:15

Comment from: me [Member]

Well, OK then, you don't think it was a random spamrun after all. But those addresses were targeted _somehow_ weren't they?

Really, I wish you the very best in finding out how this happened and going after those responsible. The rest of us should be free to exercise our right to gripe - we didn't ask for this spam, you know...

Permalink 10/07/08 @ 15:32

Comment from: Paul [Visitor] · http://www.eggxpert.com

Thank you for your kind words, and if you have received one of these emails -- especially if it was received at an email address that had only been used for Newegg transactions prior to the spam -- we want to hear from you. I hate spam too (so I can't post my direct email address here) but you can reach me via private message (PM) on EggXpert.com.

My User ID there is wyldstallyn.
Any help you can provide is greatly appreciated!

Permalink 10/08/08 @ 14:26

Comment from: West [Visitor]

I received a buystor spam email from news@buystor.com at 5:03 PM PDT today (8 Oct 2008). At the top of the email is the statement "Our system indicates that [my email address] has been opt-in to receive third party newsletters from our affiliate site. If you believe you receive this email in error, please unsubscribe here."

I have purchased from Newegg.com within the past year but have never purchased from (or heard of) BuyStor. I have seen messages posted in some forums that suggest the spam was only sent to Newegg customers who purchased items made by Seagate, but I have never purchased anything made by Seagate.

From what I have read, it sounds likely that Newegg is the source of this leak. On the other hand, I cannot rule out other possibilities--I do not use the email address in question exclusively for Newegg purchases.

Permalink 10/08/08 @ 19:32

This post has 4 feedbacks awaiting moderation...

Newegg Hacked?

09/01/08

Newegg Hacked?

Comments, Pingbacks: