This weekend brought a fresh reminder that you should always have some “burner” email address accounts handy for interactions with e-commerce Web sites. Shoppers at Saks Fifth Avenue who had asked the firm for notifications when sold-out items were available had their personal information exposed by the firm, I have confirmed. Some 80,000 email addresses and/or phone numbers were exposed, along with other personal nuggets — hints at where the victims worked, and what items they ordered, for example.
The data was shared with me by Bill Dedman at PowerReporting.com. It was visible to the public during much of the weekend, but appeared to be removed from public view by Sunday.
While the leak did not include payment information, a list of devoted Saks shoppers would be a useful tool for would-be hackers and ID thieves. Presumably, most would be high-net worth individuals, and all of them would be waiting for an email from Saks with good news about a wanted item — ideal for a phishing scam.
The list could also be potentially embarrassing for some. There are 90 .gov emails listed, for example, suggesting government workers might be shopping while at work — or at least using taxpayer-supported computers for personal affairs. NIH, IRS, USAID, NASA, and FERC domains were all spotted on the list. Several NYC school domains were also in the list. And at least one DHS email was also spotted, which raises the additional risk of compromising someone working in homeland security, then using that attack to gain other sensitive privileges.
SKU’s for wait-listed items were also included, meaning someone could look up the dress, shoes, or even lingerie that customers were hoping to buy from Saks.
At a bare minimum, better digital hygiene (a spare Gmail account) would prevent such users from having a potentially embarrassing conversations with their bosses.
For its part, Saks acknowledged the leak and said the problem that caused it has been fixed. It confirmed that the emails included customers who had signed up for “waiting list” notifications, and a few other less common circumstances. The firm’s general mailing list was not impacted.
“We take this matter seriously,” Saks said in a statement to me. “We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
It was unclear if Saks used a third-party firm to maintain the waiting list email databases; many retailers offer similar wait-list features.
There is no indication people on the list have been victims of a fraud. It’s likely that the tool used to set up waiting list notifications was simply mis-configured and the discovery was made by an white-hat hacker, who passed it along to Dedman.
Still, Saks customers should use extra skepticism when opening emails for quite some time — from Saks, or from anyone else. It would be easy to construct a very tempting email that said, “Caitlin: The dress you wanted is now in stock! We could call you at 646 -XXX-XXX or simply click here to order.”
And everyone reading this story should have a spare free email address that they use for such interactions with ecommerce firms — an address that wouldn’t put you at great risk if it were hacked some day, or overrun with spam.
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, Sign up for my free email list, click on an advertisement, or just share the story.