Experts are warning users to be on high alert for targeted, spear phishing messages as companies continue to come forward that their email addresses were stolen as part of the massive Epsilon data breach disclosed five days ago.
The latest batch of affected organizations includes AbeBooks, Air Miles, Ameriprise Financial, Ameritrade, Beachbody, BeBe Stores, Eileen Fisher, Ethan Allen, Hilton HHonors program, Lacoste, McKinsey & Company, MoneyGram, Red Roof Inn, Robert Half, Target, Verizon and 1-800-Flowers, according to reports and breach notification letters.
Dallas-based email marketing service provider Epsilon on Friday revealed that hackers gained unauthorized entry to its email system to steal clients' customer data. The hijacked data includes email addresses and customer names. Customers may receive an increase in spam as a result of the breach, according to several notification letters.
“These guys are spammers and they want the biggest email address lists out there,” Lance James, director of intelligence at security monitoring solutions provider Vigilant, told SCMagazineUS.com.
Those behind the attack will likely sell the list of stolen email addresses or portions of it to other cybercriminals, James said. The data also can be used to pull off targeted spear phishing attacks that introduce malware into organizations.
“An email address is, in itself, something that has zero value,” Nicolas Christin, associate director and a faculty member of the Information Networking Institute at Carnegie Mellon University in Pittsburgh, told SCMagazineUS.com. “But now, you can connect the email address to some other elements – a name and financial institution [or retailer]. The more connections you have, the more valuable the information you possess.”
Attacks may even come in the form of fake breach notification emails containing malicious links or attachments, security firms have warned.
In light of the incident, users should be careful not to open emails from people they don't know or respond to any messages or phone calls asking to verify a password or other personal information, Wasim Ahmad, a data protection expert and vice president at enterprise security firm Voltage Security, wrote in a blog post Monday. In addition, users should not open any attachments contained in unsolicited messages.
It is not known how many email addresses were compromised, but some experts place the number in the millions. Carnegie Mellon University's Christin said his email address was among those stolen.
“I didn't know that one of my email addresses was handled by a company called Epsilon,” he said. “As a consumer, it's interesting to find out my email address went to a place it shouldn't be.”
Affected businesses will likely take a reputation hit, even if Epsilon was responsible for the breach, he said.
“I don't think the average consumer is going to care whether Epsilon is at fault,” Christin said. “All they will [say] is, 'I gave you my email address and you lost it.'"
The list of affected organizations also includes Barclays Bank of Delaware, Brookstone, Capital One, Citigroup, City Market, Dillons, Disney, Food 4 Less, Fred Meyer, Fry's, Jay C, JPMorgan Chase, King Soopers, Kroger, L.L.Bean, Marriott Rewards, New York & Co., QFC, Ritz-Carlton Rewards, Ralphs, The College Board, The Home Shopping Network, TiVo, U.S. Bank, and Walgreens, according to reports.