5

I woke up this morning to over 900 emails of several online services asking to confirm I’ve made an account. Last month my email had been compromised and they managed to get into my eBay and Amazon accounts. I managed to remedy the situation, and changed my passwords on everything. My password on my email is different from all my other accounts and is a fairly strong one. But today it seems to have been compromised again.

  1. How can I fix this so I stop getting signed up for accounts?

  2. Is that email address far gone and I just need to get a new one?

  3. How could this happen, so I can better prevent it in the future?

  4. Could this somehow be related to my last breach, or is it just a coincidence?

  5. What’s the point of breaching an email to sign up for hundreds of accounts in one night?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Yo average commenter
  • 51
  • 2
  • 1
    This question I asked some time ago might be related to this topic: https://security.stackexchange.com/questions/195172/is-mailbait-still-a-threat By using a service like Mailbait, it might be possible to DoS your email like that (but I don't know how that could be solved) – reed Jul 26 '20 at 14:10
  • 4
    "_But today it seems to have been compromised again_" Unless I'm missing something, how does 900 account-confirmation emails indicate that you've been compromised again? All it takes is to plug your email into their sign-up pages. The fact that the emails are asking you to _confirm_ new accounts suggests they _haven't_ breached your email account (otherwise they could have logged-in and sent the confirmation emails back to the companies they've signed you up to). – TripeHound Jul 26 '20 at 14:22
  • 7
    Carefully check for the emails that indicate purchase or monetary transaction notifications rather than service signups. It's a common tactic for attackers to create such a flurry of signups to obscure notification emails that might indicate fraudulent use of accounts, cards, etc. – gowenfawr Jul 26 '20 at 14:51

2 Answers2

3

1.How can I fix this so I stop getting signed up for accounts?

You can't - anyone who knows your email address can do this. Anyone whom you ever emailed or anyone who read an email they forwarded has your mail address; it could be nothing to do with the breach

2.Is that email address far gone and I just need to get a new one?

Maybe, but you need to balance inconvenience of changing email, and be aware that it could simply happen again at some point right after you send you first email or someone CCs you into an email; both these actions put your email address out there

3.How could this happen, so I can better prevent it in the future?

Software exists to register your email with a massive number of companies; effectively everyone who sets up a "register your account with us, we just need to confirm your email" with no barrier such as captcha or having to pay them first effectively creates a robot that can be manipulated into flooding your mailbox with junk. The real question is why was it flooded; it's less likely that the person who broke in last time is doing it just to annoy, and more likely that this flood of emails contains in the center a couple of confirmations of things they bought as you etc. The hope being that you just select all 900 and hit delete

4.Could this somehow be related to my last breach, or is it just a coincidence?

I think it's highly likely, and you should carefully examine the extent to which you were compromised; they'll have been able to comb your entire email history and find all the sites you've purchased from that may still be holding your credit card details, and possibly made purchases from those sites, not just eBay and amazon

5.What’s the point of breaching an email to sign up for hundreds of accounts in one night?

You don't need access to an email address to sign up for an account, even if they just reach "confirm your email" stage with some company, then the company still sent you an email. These emails aren't of any concern unless they're actually completing signup (indicating the third party still has access to your email). Bear in mind that if someone does have access to your email then the follow up "you're fully signed up!" could be erased, though it might be curious that the "verify your email" emails remain. The read/unread status isn't much help either as that can be toggled - what you need is a log of activity as to what IP addresses have signed into your mail and when, and review them carefully

Caius Jard
  • 148
  • 3
1

This is called list bombing (aka email bomb, list linking, email cluster bomb, subscription bombing, etc). A list bomb is a targeted attack in which a victim's email address is signed up for numerous bulk mail systems without the victim's consent, resulting in lots of bulk mail, ~legitimate and spam, filling the victim's mail box. This got attention in 2016 when Brian Krebs blogged about email bombs aimed at .gov addresses. Wired Magazine also wrote about list bombs on journalists at ProPublica.

In the US, it is still legal to send opt-out bulk mail (a mass mailer can send mail to you until you tell them to stop), as opposed to opt-in mail, which requires the recipient to have previously requested the mail content, or confirmed opt-in (COI, aka double opt-in, DOI) mail, which additionally requires recipients to verify their desire to receive more mail after the initial subscription confirmation.

In my experience, most list bombs are actually confirmed opt-in. They're thanking you for signing up to a list and asking for you to click a link or respond so they have explicit permission to continue.

What are the consequences? List bombing is just a nuisance-level denial of service attack, designed to overwhelm you so you can't do any real work. The only way for an attacker to profit is through extortion ("pay me or it'll happen again") or as a distraction: a list bomb could hide an attack in the noise, burying a critical notice, confirmation, warning, report, the closing letter for a potential business deal, etc.

Why you? This attack probably came from somebody harboring ill will against you. If it's related to a breach, that'd probably just be to gain a list of your users (though there are lots of ways to get users' addresses).

Solutions? Sorry, there is no viable solution to this. It's a real pain point.

M³AAWG (a working group of bulk senders, anti-spammers, and large receivers) drafted a email header to mitigate list bomb attacks, proposing a Form-Sub header, but the draft expired in May 2020. Also note that this would actually require adoption to be useful.

The only remaining solution, aside from abandoning the address in question, is to design a system that is specifically geared to detecting COI and other bulk mail so you can siphon it off in response to a list bomb event (ideally to be automatically triggered by a sufficient volume and then retroactive to cover what was delivered before the trigger). This is extremely difficult.

I do not suggest changing your address. Since list bombs are mostly COI, they tend to go away on their own, so you just have to weather the storm. Of course, if somebody really hates you, they'll keep signing you up and then you should consider burning the address.

If you have to do that (and you have filter access on your mail server), you could bounce all mail to the old address unless they're in your address book—just make sure that you never reply from the old address since group Cc's won't work. Bouncing (SMTP code 550, "no such user") is important because it'll help inform people you've forgotten to allow.

You could even consider a custom rejection message with indirect instructions on how to contact you, like "try me at firstname.lastname@ instead" (show the formula, not your actual first and last name). I'm guessing even literally including your new email address is safe, though I do suggest mangling it at least a bit.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44