According to a growing thread on MoneySavingExpert, it appears that certain users’ email addresses and usernames may have been harvested and used to spread spam.
The email purports to be from MoneyExpert (a different company to MoneySavingExpert, but legitimate), and also links to defaqto.com – again a legitimate website, although MoneyExpert and Defaqto are unlikely to have anything to do with this and are just used to make the email look official. Here’s the text of the email:
Hi XXXXX,
MoneyExpert: News-Tool.
At MoneyExpert, we believe it’s only fair that you can compare products from the whole of the marketplace. After all, it’s the only way to be sure you’re not missing that perfect deal. That’s why we insist on being independent, which means we’re never biased towards any particular company. We provide details on every product from all of the major providers in the market. We partner with Defaqto, the people who deliver product data to the FSA, to ensure that our tables are accurate and complete. You can find out more about Defaqto at www.defaqto.com.
Download “MoneyExpert News-Tool”:
[link removed]
_________
MoneyExpert is VAT registered. Our VAT registration number is 825281335.
This apparent hack follows another breach last year, which took advantage of a security flaw found in the forum software that MSE uses, and there are some suggestions that the data used may have been harvested during that attack – no recent breaches have yet to be identified.
It provides a reminder of some of the measures you should take to keep your details secure:
- Provide a unique email address to each site you sign-up for – not always easy, but with GMail, you can modify your standard email address to make it unique for each site. For example, if you have the standard email address of atestuser@gmail.com, you can sign up with the address atestuser+moneysavingexpert@gmail.com – it will still come through to your inbox, but you can filter out any messages sent to that address if you so wish. It’s not a perfect solution, as anyone who has harvested your email address could strip out the “+something” part to leave your main address, but it is an easy way of identifying and filtering spam email.
- Use a seperate password for each site – this probably provides the most hassle, but by using seperate (and secure, ie. a decent length, mix of numbers/letters etc) passwords, even if your username and/or email address is discovered, your accounts on different sites should still be safe. To help remember passwords, some people choose it based on the web address of the site they’re signing up for. For example, for moneysavingexpert.com, you might choose the password “M0n3yS4vingExp3rt.C0m”
Whilst there will be the usual moans and groans from forum members about the security of the site, hacking is unfortunately one of the problems facing large, popular websites, where there is valuable data for spammers. And it is a constant battle that technical teams face to keep hackers out. Whilst they should certainly try to ensure that their systems take security very seriously, I believe that we as users also have a responsibility to minimise the effects of any breaches by using measures such as those suggested above.