The Stratfor E-mail Address Scandal That Isn't

The Guardian just ran a sensational story about hundreds of British government and NATO email addresses being exposed via the Stratfor hack. The L.A. Times ran a similar story featuring other exposed email addresses from various U.S. agencies and organizations including the White House. In fact, my email was among those exposed. My response is - big deal. I publicize my email address on the Web. It's one of many that I use for different purposes. An email in and of itself means very little. An email with a ridiculously easy password could be a problem if the person was foolish enough to use that same combination on his work email address but for most people, especially those in large corporations and the U.S. Government, that's next to impossible to do because of specified password requirements and two-factor authentication. And in the case of obtaining free reports via Stratfor's marketing strategy, why bother using a strong password as long as it and its associated email address are different from ones that you use for work? In fact, programs like Anonymizer give you throw-away email addresses and passwords to use for just such an occasion.

One of the articles that I read claimed that the Stratfor breach included 3 email addresses from the White House. Well, two of those were President@whitehouse.gov and Prez@whitehouse.gov. Does anyone seriously believe that either of those are real? They're most likely the invention of someone who, like me, wanted to read one of Stratfor's "free" reports. Stratfor doesn't validate those email addresses and every time you want to download another free report you need to invent a different email address to register under. That's why Stratfor has so many email addresses in its system. People who want a freebie report are loading them up with valid and invalid email addresses like "Prez@whitehouse.gov".

So what are the repercussions to have your email address listed along with hundreds of thousands of others? Spam and spear phishing attacks are pretty much it and both of those can be easily avoided if you've paid any attention to network breaches in the past year. In the rare case that you used your work email address along with your work password, you're pretty much screwed (and deserve to be for being so carless) but by now you've changed your password anyway. The worst part of the Stratfor hack wasn't the release of those email addresses. It was Stratfor's atrocious handling of its members credit card data and the awful state of its own network security. The worst part may be yet to come, if and when Anonymous releases the contents of those emails between Stratfor analysts and their corporate and government clients. Once that happens, you'll be wishing that all you had to worry about was an exposed email address with a weak password.

Related:
An Open Letter to George Friedman and Stratfor
Was Stratfor Breached By An Insider?

Comments