I am not an internet security expert or a PR expert, however my day job is as a software consultant so I have a solid grasp of the technical details.
First, there is little danger in someone having a list of email addresses. Email addresses can also be obtained by any entry level hacker by monitoring traffic over unsecured public networks, such as a coffee house or perhaps many of the wireless networks we expose from our businesses. This would be analogous to swiping someone’s mail out of their unlocked mailbox and opening it up and collecting SSN, account number, etc. At this point (according to Missy’s statement) this list of email’s and login’s is all we believe anyone has.
However, as Pizzamancer points out, the danger can increase significantly when and if people click on the link. In this case, if people do click on the link, they are prompted to change their password. This process (known as a fishing expedition as Missy points out) is designed to capture your password. Once that password is captured, the BAD GUYS now have three pieces of information that are associated together, your PMQ login, your email address and your new password. They can then use that information to do a couple of things. They could login into your PMQ account and post messages, view profile information, and basically anything you can do. While this is annoying and disruptive to our community, probably not that harmful in the scope of things (unless you are asking registered guest to try magnets on his ovens, ha ha). More likely however that data would be combined with other sources of data to build a digital profile about you…so imagine that not only was you information compromised from PMQ, but also from Jimmy Johns where I also use the same email address to order subs as I do to login to PMQ. My digital profile would now include the information from Jimmy Johns and PMQ. Eventually there may be enough information for someone to get into my online bank account, credit card accounts, credit monitoring, etc. Over time, the identity thief will gain pieces of information that allow them to impersonate me and act as me.
Digital security is an important concern and anyone who holds any piece of digital information about me has a strong responsibility to ensure that they are securely storing that information and not contributing to the process of identity theft.
So, some suggestions on what can or should be done now:
1.) I appreciate that an email was sent out last night. However, I do not believe the wording was strong enough. It is not enough to “ignore” the spammers email. I would like to have seen wording that made it clear NOT to click on the link or enter any password information under any circumstances.
2.) This is where someone trained in internet security might come in handy to craft specific action plan, but I think PMQ could help play a role in assisting anyone who has clicked on the link. Maybe advise that they have a heightened monitoring of their credit report and accounts for any signs of suspicious activity…
3.) PMQ probably needs to add additional scrutiny to people trying to login to their site for some period of time. They probably should have heightened awareness not only of those successful attempts, but also unsuccessful.
4.) PMQ should probably ask the community to be report on any suspicious activity they see that might be traced back to this breech. Perhaps this needs to happen one on one because many people are embarrassed or there may be other need for discretion.
5.) It may be needed to reset all user passwords…as a user I hate this idea, but it could be a needed step. I think it would at the very least, be wise to suggest that users reset their passwords.
5.) Daddio just brought up an important line of questions about this supposed “vendor”…do you have agreements in place about they were supposed to use the information, what information they could have? Did they maliciously take information from PMQ - perhaps they need to be reported somewhere? Did they allow someone else to take PMQ’s information from them - perhaps they were duped out of additional information? Why were email addresses and account information given during an evaluation? Could they not have worked from a set of made up accounts just for this purpose? I feel PMQ does need to be asking these questions to address the present - it is important to understand what happened, the depth of the breach, and ensure that the appropriate reporting of the breech is done. Additionally, we need to address the future and ensure that PMQ takes steps to prevent this from happening again.
In conclusion, based on what we know right now, there probably is no need for widespread panic. Unfortunately, it is an increasingly prevalent risk in the world we live in. However, it is a very serious topic and can lead to more serious consequences if “ignored”. I would ask PMQ to be as proactive, transparent and aggressive as they can be in understanding this breech and addressing it.
Missy - Internet security isn’t my direct area of expertise, I do mostly database, analytic and reporting work, but if you have any additional questions or wish to discuss anything further offline, please feel free to PM me and I am happy to assist in anyway I can. This forum and it’s contributors have made so many fantastic contributions to me and I think it is important that we keep those contributions and contributors safe and secure.