Experts: Take stolen email addresses seriously

Email to a Friend


When Home Depot revealed that 53 million email addresses were stolen along with 56 million credit- and debit-card numbers during a mid-2014 data breach, consumers might have wondered why data thieves would want access to something as innocuous as the keys to your inbox.

Experts whom we interviewed say the pilfered email addresses can be just as troubling for consumers as is the stolen credit- and debit-card information.

“Email remains the top threat through which hackers launch attacks,” says Julian Waits, who is the CEO of cybersecurity software company ThreatTrack Security. “Unsuspecting consumers could be tricked into giving away much more than their credit-card information in the coming months.”

Retailers typically use two methods to get their hands on your email address: An employee asks you to share it when you make a purchase, or a store’s credit-card terminal will give you the option of having the receipt for your purchase sent to your email. Sharing your email either way will give the retailer an opportunity to email other promotional information to you, such as notifications about sales or discounts.

As a result, cybercriminals who gain access to a retailer’s list of email addresses that are associated with a specific group of people (e.g., Home Depot customers) can create custom campaigns to trick their targets into clicking links or downloading attachments at a higher rate than typical attacks, says Mark Stanislav, who is the security project manager at Duo Security.

For example, Stanislav says a clever criminal could send a convincing email to affected Home Depot customers that announces that the retailer will provide $50 gift cards as part of a class-action settlement and that affected customers must fill out a registration form, which can be used to gather more personal details. As a result, Stanislav says consumers should be cautious of any giveaway or reimbursement offers that haven’t been announced publicly by Home Depot, and that all email from Home Depot should be treated as suspicious for the foreseeable future.

Corey Nachreiner, who is the director of security strategy at WatchGuard Technologies, says 20 percent of hacked email accounts are accessed within 30 minutes by hackers, who often go on to change your password to lock you out and search through your email for bank-account details.

“Once inside, it’s just a matter of time until hackers have control of your computer and its valuable data,” Nachreiner says.

In other words, you probably already have been hacked by the time that a retailer issues warnings about a data breach that involves your email account.

Aside from targeting your personal data, hackers also gain access to all of your email contacts. Hackers send what are called phishing emails from the victim’s account to everyone in her/his address book, and Nachreiner says you’re 36 times more likely to be a victim of a data breach if your email address was compromised.

Simply put, your personal information is valuable. Retailers want as much information about you as is possible so they can tailor marketing campaigns specifically to you, which often arrives in the form of an email advertisement. Home Depot, for instance, might know that you purchase light bulbs every 4 weeks and will send you a customized advertisement about a coming light-bulb sale.

A 2012 survey by McKinsey, which is a management consulting firm, found that email is 40 times more effective at generating new customers than are social-media networks such as Facebook and Twitter. Data thieves want to have your email address to gain access to all aspects of your life or to bundle and sell to companies that build a customer base.

We believe that consumers can take at least two steps to reduce the damage that the hackers can cause when they steal customer email addresses from retailers. For starters, rather than automatically give your email address to every cashier who asks for it, you can tell them no, because you don’t have to provide your email address to complete a transaction.

However, if you wish to receive coupons, sale notices and other email from retailers, you can set up an email address that’s specifically for those types of correspondence. Rather than risk compromising all of your personal data by limiting yourself to one email address, cybersecurity expert Jerry Irvine of Prescient Solutions suggests that consumers create a separate email account that you use only so retailers can send you notifications about deals.

For example, if your primary email address is through Gmail, you can create a Hotmail account that you use only to receive notifications from retailers. That way, if hackers get access to the account via the retailer, criminals won’t have access to anything that could be damaging, such as financial data, social-media passwords and family information that typically is associated with your primary email account.

– K. Carlson