Fretboard Security Breach?

What's Hot
TheGhostTheGhost Frets: 1
in Help & Feedback
Hi folks,

has the fretboard had a security breach? I've recently started receiving email spam to an email address that I used to sign up to fretboard. For info, I own my own domain and for each service that I sign up to, I create a unique, identifiable email address hence how I know it's related to this site.

Cheers,
Chris
0reaction image LOL 0reaction image Wow! 0reaction image Wisdom

Comments

  • digitalscreamdigitalscream Frets: 26741
    Nope - there's been no unauthorised access. There are lots of ways that this can happen outside of a data leak, and a few people have reported the same thing over the last five years, but in no case have there been any brute force attacks, direct SQL logins or SQL injection attacks that could've resulted in a data leak.
    <space for hire>
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • TheGhostTheGhost Frets: 1
    thanks for the reply. What are the other ways this can happen outside of a data leak?
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • digitalscreamdigitalscream Frets: 26741
    Well, I don't have an exhaustive list, obviously, but there could be unauthorised access to any of the devices that store the email address - any mail server along the way, anti-spam services, web servers if you're using webmail of any sort (plus your own browser), your ISP etc etc. And any of those services could also be forwarding it on to other service providers. Then you've got email clients and other applications - particularly on mobile devices, where the details of interaction between apps and contact lists can be somewhat murky. I've noticed that Google's own mail client on Android can leak addresses to advertisers - I do exactly what you have with my email addresses, and I've had spam on addresses that I've only used for local testing where the only external traffic was sending mail directly from my desktop to a Google SMTP server.
    <space for hire>
    0reaction image LOL 0reaction image Wow! 1reaction image Wisdom
  • JalapenoJalapeno Frets: 6398
    Your profile displays your email address too - not sure if that is for everyone or Mods only .....


    Imagine something sharp and witty here ......

    Feedback
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • tone1tone1 Frets: 5179
    That’s a relief, I thought @Gassage had brought a Strymon pedal for a minute.... B)
    http://www.thefretboard.co.uk/discussion/59137/tone1#latest
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • TheGhostTheGhost Frets: 1
    Jalapeno said:
    Your profile displays your email address too - not sure if that is for everyone or Mods only .....


    Think that's only if you tick this box in your profile "Allow other members to see your email?" which isn't ticked for me, on purpose.
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • TheGhostTheGhost Frets: 1
    Well, I don't have an exhaustive list, obviously, but there could be unauthorised access to any of the devices that store the email address - any mail server along the way, anti-spam services, web servers if you're using webmail of any sort (plus your own browser), your ISP etc etc. And any of those services could also be forwarding it on to other service providers. Then you've got email clients and other applications - particularly on mobile devices, where the details of interaction between apps and contact lists can be somewhat murky. I've noticed that Google's own mail client on Android can leak addresses to advertisers - I do exactly what you have with my email addresses, and I've had spam on addresses that I've only used for local testing where the only external traffic was sending mail directly from my desktop to a Google SMTP server.
    Thanks for the list. It's a good list, however I'm not convinced.

    I don't use Gmail.

    Again, bearing in my mind I own my own domain, and have set up a unique email address just for the fret board: The only time an email with this unique address was received was during sign up in 2017. No email has ever been sent from that address. So very unlikely someone man-in-the-middle'd the connection once in 2017, to send me spam 2 years later. The sign up email is still in my inbox, so there's a chance of compromise my end. But if you had full access to my inbox, why only spam that address? There are plenty more, and many already listed on "have i been pwned" from other security breaches.

    It doesn't make sense.

    Does the fret board sell on our email addresses?
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • digitalscreamdigitalscream Frets: 26741
    TheGhost said:

    Does the fret board sell on our email addresses?
    No.

    All I can tell you is that there's not been a breach - I've searched the logs for the entire server, and there's nothing. Nobody else has access to the server, and the only people who can see non-public email addresses are the mods (none of whom have any reason to do anything like that).

    I also have several honeypot accounts set up on here to trap spam (accounts which have never even so much as received an email), and none of them have been triggered...which they would've been if anyone was trying to grab our database for spam - no sense in just using a couple of email addresses if you've got access to the whole 12k or so, is there?
    <space for hire>
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • stickyfiddlestickyfiddle Frets: 27209
    Let's not forget brute-force random email generators too. Entirely possible it's just someone bunging out emails at full-pace to a sequence of random emails rather than worrying about whether it's an actual address or not.
    The Assumptions - UAE party band for all your rock & soul desires
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • TheGhostTheGhost Frets: 1
    I also have several honeypot accounts set up on here to trap spam (accounts which have never even so much as received an email), and none of them have been triggered...which they would've been if anyone was trying to grab our database for spam - no sense in just using a couple of email addresses if you've got access to the whole 12k or so, is there?
    Ok cool, that's good to know. That's more reassuring.

    stickyfiddle said:
    Let's not forget brute-force random email generators too. Entirely possible it's just someone bunging out emails at full-pace to a sequence of random emails rather than worrying about whether it's an actual address or not.
    Yup I agree, and I was just having exactly this chat with some work colleagues. But odd that this is the only spam I've received and it's for an exact address, not something brute force guessed, ie, not addressed to theghost1, theghost2, theghost3 etc.
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • wizbit81wizbit81 Frets: 452
    If it helps, at work I have received spam emails from indiviuals at NHS trusts when there is no way they have ever seen any emails that I've sent. Only commonality is that we both work in the NHS. 
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • FretwiredFretwired Frets: 24601
    TheGhost said:
    Yup I agree, and I was just having exactly this chat with some work colleagues. But odd that this is the only spam I've received and it's for an exact address, not something brute force guessed, ie, not addressed to theghost1, theghost2, theghost3 etc.
    ISP hacked? Fasthosts got hit which resulted in me getting spam. I got a lot of it.

    Do a search on the Dark Web for your email to see if it has been compromised:



    Remember, it's easier to criticise than create!
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
Sign In or Register to comment.