11 @ 6:45p)

Updated 4/4/ @ 6:45p

Here are just some additional names that have now been confirmed are affected by this breach. (This is not a complete list, not all companies affected have become public). This list comes from NEOWIN.NET (LINK) http://www.neowin.net/news/consequences-of-the-epsilon-breach-spear-phishing (http://www NULL.neowin NULL.net/news/consequences-of-the-epsilon-breach-spear-phishing)

Abe Books
American Express
Ameriprise Financial
Barclays Bank of Delaware
Best Buy
Borders
Brookstone
Capital One
Citibank
City Market
CollegeBoard
Dillons
Disney Vacations
Food 4 Less
Fred Meyer
Fry’s
Hilton Honors
Home Shopping Club (HSN)
The Home Shopping Network
Jay C
JP Morgan Chase
King Soopers
Kroger
LL Bean
Marriott Rewards
McKinsey Quarterly
New York & Co.
QFC
Ralphs
Ritz Carlton
Robert Half
Smith Brands
TiVo
US Bank
Verizon
Visa
Walgreens

**PLEASE REMEMBER NO REPUTABLE COMPANY WILL EVER ASK YOU FOR PERSONAL, CREDIT CARD, or ACCOUNT INFORMATION, DO NOT RESPOND TO ANY EMAIL ASKING FOR THAT KIND OF INFORMATION or CLICK ON ANY LINK IN AN EMAIL THAT ASKS FOR YOU TO VISIT A WEBSITE TO ENTER THAT INFORMATION. IF IN DOUBT CALL THE COMPANY THAT THE EMAIL CLAIMS TO BE FROM DIRECTLY TO CONFIRM YOUR SITUATION.

*************************************************************************************************************************************************

Update 4/4 @ 2p

The story just keeps getting bigger. AP (via yahoo news) is now reporting

Among the affected are financial-service companies such as Capital One Financial Corp., Barclays Bank, U.S. Bancorp, Citigroup Inc., JPMorgan Chase & Co. and Ameriprise Financial Inc. and retailers including Best Buy Co., TiVo Inc., Walgreen Co. and Kroger Co.

The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.

Walt Disney Co.’s travel subsidiary, Disney Destinations, sent emails warning customers on Sunday. Hotel chain Marriott International Inc. issued a similar warning.

The complete AP story can be found at (LINK) http://news.yahoo.com/s/ap/20110404/ap_on_hi_te/us_data_breach (http://news NULL.yahoo NULL.com/s/ap/20110404/ap_on_hi_te/us_data_breach)

****************************************************************************************************************************************

As reported in the Dallas Morning News (LINK) http://www.dallasnews.com/news/local-news/20110402-vendor-for-kroger-jpmorgan-chase-suffers-data-breach.ece (http://www NULL.dallasnews NULL.com/news/local-news/20110402-vendor-for-kroger-jpmorgan-chase-suffers-data-breach NULL.ece) , Epsilon who provides marketing services for a number of companies suffered a data breach, where someone was able to get unauthorized access into the Epsilon email system.

Epsilon themselves have released a press release (LINK) http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3 (http://www NULL.epsilon NULL.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3) , concerning the issue.

Originally in the Dallas Morning News story only JP Morgan Chase and Kroger Supermarkets were named. Since then it has been confirmed that US Bank and DVR manufacturer TiVo are also affected (Others possible but not confirmed so far). What is understood in all cases is that only the Name and Email Addresses of customers were compromised. The problem with breaches like these is that the “bad guys” can now send fake emails to customers making them look like they come from affected companies in an attempt to trick the end user into giving up more information.

For those who think, I don’t shop at Kroger’s below is a list of some of the names that Kroger’s operates under. (LINK) http://www.thekrogerco.com/ (http://www NULL.thekrogerco NULL.com/)

Here is the notice that TiVo is sending out to their customers.

***UPDATE 4/3

It can now be confirmed that Disney and HSN are included in the information breach.

This is the notice that Disney is sending out

and Here is what HSN is sending out

Dear HSN Customer,

HSN values your trust and wants to make you aware of a recent incident. We learned from our email provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals. This information included your name and email address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible. We apologize for any inconvenience and have outlined below a number of email safeguards to help ensure your privacy online.

***What to look out for***

If you have given your information to one of the affected companies, you need to be on the look out for emails that look official and say things like

- We are updating our records and need to confirm the credit card on file

- Do to tax changes, we need to get your SSN# to update our records

Those are just possible examples, in any case if you get any email that asks for personal, credit card or account information, DO NOT RESPOND to any email asking for that kind of information. Keep in mind that NO RESPONSIBLE COMPANY will EVER ask you for that kind of information via a random email.

Online Security: Hackers take Control of PA Women’s Online ID (From 6abc.com)

The following story comes from the 6abc Newscast (12/29/10) in Philadelphia, where a local women had her Facebook and AOL email ID’s compromised, and where the hacker was using the compromised accounts to send “Bogus” messages to the friends lists in the compromised accounts asking for money. The “bogus” messages said that the user was assaulted while on a trip and asking the friends list for money to help.

This story just goes to prove that users need to be careful in responding the messages received (from all electronic communications), even when they appear to be coming from someone they know. In addition, you should always make sure you do the following

Keep your pc Software updated (Windows, Programs, Antivirus)
Use a complicated password with a mix of Capital and Lower Case Letters, Numbers, and Symbols (Example: P@55w0rd@ – Note the use of the @ symbol, the #5 and the #0 instead of the normal letter)
Use different passwords on each account (I know this one is HARD)
If possible set up additional security reset options with each online account, for example on Gmail you can now require a code be text messaged to your cell phone, which would then be required before a change to your security settings would be allowed. (Gmail->Settings->Accounts and Imports->Change Account Settings)

*****************************************************************************************************************************************

With that being said here is the story posted on 6abc.com (LINK) http://abclocal.go.com/wpvi/story?section=news/crime&id=7870339 (http://abclocal NULL.go NULL.com/wpvi/story?section=news/crime&id=7870339)

By Alicia Vitarelli – 6abc Philadelphia

ABINGTON, Pa. – December 29, 2010 (WPVI) — A Montgomery County is trying to put her online life back together after hackers took control of her Facebook and email accounts.

Billie Bakhshi said it began recently when she tried to log on to Facebook, but couldn’t get in. So, she tried to reset her password.

"But the hacker changed that. They changed the email address on Facebook so that the retrieval is being sent directly to the hacker instead of to me," Billie said.

She then found out her AOL account was also wiped out.

That’s when she got a strange call.

"I got a phone call from a friend who said ‘Are you okay? I didn’t know you were in Wales!" said Billie. "I said ‘What?!"

Whoever stole her social network identity was emailing her friends and family, saying she on vacation overseas, in danger and needed money. The message read, in part, "I am writing this out of frustration and pain – we got mugged last night…"

Complete Post can be found on the 6abc (LINK) http://abclocal.go.com/wpvi/story?section=news/crime&id=7870339 (http://abclocal NULL.go NULL.com/wpvi/story?section=news/crime&id=7870339)

Alert: Email – What steps you should take to try and protect yourself from getting your email hacked.

I just found out that someone I know got Hacked and lost control of their email. This isn’t the 1st person I know to get their email hacked, in fact I get asked for help at least once a month from someone (clients, co-workers, friends, and family included) who needs help trying to get their email back. With our total reliance on email for our daily lives, trying to access your email one morning only to find out that someone else has changed the password on you and is can now go thru your digital life is both upsetting (insert expletive here) and be very scary as well.

Here are some steps from experience as to what you need to do both now and if this were to happen to you.

Now that you have a functioning email account -

1 – Find out if your email service has the ability to add a “Secondary account” notification. If they do, add a 2nd email address, and make sure that the 2nd email address is not on the same service as the email address you are trying to protect. What do I mean by same service, if your main email is …….@gmail.com (…… NULL. null@null gmail NULL.com), then when you add your secondary address set up or sign up for an address at Hotmail or Yahoo or with your local internet provider. Many of the people who have been hacked who have multiple addresses at on email provider lose access to all the accounts with that provider.

In addition many sites like Gmail require you to know exactly what day you signed up for the service to confirm it is you who are the true owner. Look at the settings area of your email account (if you use services like hotmail, Gmail, or yahoo mail), it should say member since XX/XX/XXXX. You need to write down somewhere (that cant been seen be everyone else – See #4 for more) when you signed up for the service you are trying to protect.

2 – Many email providers also include the “Secret question or Secret Word” hints when recovering email address passwords. Do not use questions like “My favorite Disney character” with a response of “Mickey” or another one of my favorites “where do I work” with the response of “Boeing” your email ends in …@Boeing.com (… null@null Boeing NULL.com). I know its hard to keep track of all this passwords and information, but at the same time, when you keep the “Hints” simple, you also make it simple for someone else to figure out what the answer is and use that against you.

3 – Use a better password. SERIOUSLY THIS ONE GETS ME EVERYTIME…….I have had more than 1 person tell me that their password is 1234 and others someone tell me that the password was their 1st name, which also happens to be the name of the email address, so that had 1stname@yahoo (1stname null@null yahoo) with a password of 1stname. Passwords should look something like (EXAMPLE ONLY) ComPlicated1@ at minimum (Note the use of a couple of multiple capital letters plus a number plus a character). Some please actually change letters and numbers so that if the password actually looks like C0mP1iC@ted1 (C0mP1iC null@null ted1)@ (Note the use of zero and one instead of the letters and the @ sign instead of the letter a), however I will be the 1st to say that version may drive some people crazy trying to type it.

4 – DO NOT USE STICKY TAGS STUCK TO YOUR MONITOR OR AN 8×11 PIECE OF PAPER STICK TO YOUR WALL TO WRITE DOWN USER NAME AND PASSWORDS. (This one is for both home and business users) How many people may visit your house or work (anyone from the repair tech or babysitter at home to someone visiting your corporate office or even your co-workers), do you really trust all those people that much, that 1 of them couldn’t maybe while walking by or in the area of your computer see your sticky notes and then try to use them later. For years everyone has heard about how you should cover what you type when you are at the ATM so that anyone near you cant see what your doing, its the same rule with your passwords, get them out of the way.

5 – Many sites require you to sign up using an email address / password. If you have sites like that do NOT use the same password on the sites that you use on your email. Example, JohnDoe@gmail (JohnDoe null@null gmail) uses signs into email using ComPlicated1@ as his password. If you then sign up for Facebook for example with that same email address DO NOT USE ComPlicated1@ as the password on Facebook. Make it something completely different. The problem with using the same password on both your email and sites your sign up for, is that if the site you signed up for screws up or gets hacked, it could be very easy for the bad guys to get your information from that site and then have a free ride into your email.

6 – NOT 1 SINGLE SERVICE OUT THERE WILL EVER SEND YOU OUT A NOTICE THAT SAYS “WE ARE CHECKING OUR ACCOUNT INFORMATION, CAN YOU PLEASE RESPOND TO THIS EMAIL WITH YOUR LOG ON TO MAKE SURE WE HAVE THE CORRECT INFORMATION”. Your bank does NOT do that, your credit card company does NOT do that, your email provider does NOT do that. NEVER NEVER NEVER fall for one of those emails and respond back with your information. That also includes the government, you will NOT get your IRS refund check back sooner if you respond to that email about “We are the IRS and we need to confirm your banking info so that we may deposit your check quicker”. I know #6 is not only about emails but I think the example makes the point. Do NOT fall for it.

If you get hacked and lose access here is what to do -

I’m going to use Gmail for this example, but virtually all other services have the same features, you just have to look for the address for your specific service.

The following options are recommended by Google Support when your forget the Gmail password or if someone else takes ownership of your Google Account and changes the password:

1. Reset Your Google Account Password:

Type the email address associated with your Google Account or Gmail user name at Google.com/accounts/ForgotPasswd (https://www NULL.google NULL.com/accounts/ForgotPasswd) – you will receive an email at your secondary email address with a link to reset your Google Account Password.

This will not work if the other person has changed your secondary email address or if you no longer have access to that address.

2. For Google Accounts Associated with Gmail

If you have problems while logging into your Gmail account, you can consider contacting Google by filling this form (http://www NULL.google NULL.com/support/accounts/bin/request NULL.py?service=mail). It however requires you to remember the exact date when you created that Gmail account.

3. For Hijacked Google Accounts Not Linked to Gmail

If your Google Account doesn’t use a Gmail address, contact Google by filling this form (http://www NULL.google NULL.com/support/accounts/bin/request NULL.py?hl=en&ctx=accounts_hc&contact_type=hijack). This approach may help bring back your Google Account if you religiously preserve all your old emails. You will be required to know the exact creation date of your Google Account plus a copy of that original “Google Email Verification” message

Tech Geek and More

Technology Explained for All

Category Archives: Email Hacking

Alert: A number of Major Companies suffer Data Breach via a 3rd party partner. Customer Names and Email Address exposed (Updated 4/4/11 @ 6:45p)

Online Security: Hackers take Control of PA Women’s Online ID (From 6abc.com)

Alert: Email – What steps you should take to try and protect yourself from getting your email hacked.