Plusnet fessed up this morning by e-mail

E-mail from Phil Webb, Networks Director, PlusNet

Opens:
"This email contains important information about a problem with our
Webmail service which may have lead to your email address being exposed
to a spammer."

The gist of it at:
http://usertools.plus.net/status/archive/1179240249.htm

So glad I fled Plusnet about 6 months ago (although have a couple of
dormant accounts)

"Allan Gould" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> E-mail from Phil Webb, Networks Director, PlusNet
>
> Opens:
> "This email contains important information about a problem with our
> Webmail service which may have lead to your email address being exposed to
> a spammer."
>
> The gist of it at:
> http://usertools.plus.net/status/archive/1179240249.htm
>
> So glad I fled Plusnet about 6 months ago (although have a couple of
> dormant accounts)
>

I always have difficulty when a company admits to a problem (whatever the
business) as there is a choice of scenarios
1. The company is stupid or incompetent, and none of the others are.
2. The company is honest, and others are having similar problems but just
don't admit it.

What I always find surprising is that very few people encrypt personal data
held on their computer - this not only protects against hackers but also
computer theft, which I suspect is possibly a greater risk.

Retired

"Retired" <(E-Mail Removed)> wrote in message
news:464c265b$0$8739$(E-Mail Removed)...
>
> "Allan Gould" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> E-mail from Phil Webb, Networks Director, PlusNet
>>
>> Opens:
>> "This email contains important information about a problem with our
>> Webmail service which may have lead to your email address being exposed
>> to a spammer."
>>
>> The gist of it at:
>> http://usertools.plus.net/status/archive/1179240249.htm
>>
>> So glad I fled Plusnet about 6 months ago (although have a couple of
>> dormant accounts)
>>
>
> I always have difficulty when a company admits to a problem (whatever the
> business) as there is a choice of scenarios
> 1. The company is stupid or incompetent, and none of the others are.
> 2. The company is honest, and others are having similar problems but just
> don't admit it.
>
> What I always find surprising is that very few people encrypt personal
> data held on their computer - this not only protects against hackers but
> also computer theft, which I suspect is possibly a greater risk.
>
> Retired

And also very many don't bother with anti-virus or spyware systems either.

George

Allan Gould wrote:
> E-mail from Phil Webb, Networks Director, PlusNet
>
> Opens:
> "This email contains important information about a problem with our
> Webmail service which may have lead to your email address being exposed
> to a spammer."
>
> The gist of it at:
> http://usertools.plus.net/status/archive/1179240249.htm
>
> So glad I fled Plusnet about 6 months ago (although have a couple of
> dormant accounts)

Bastards, so it is certainly them then, all the spam i ahve been getting
seems to be around penis expansions.... They have made my email address
close to unusable.

Gaz

"Retired" <(E-Mail Removed)> wrote in
news:464c265b$0$8739$(E-Mail Removed):

> I always have difficulty when a company admits to a problem (whatever
> the business) as there is a choice of scenarios
> 1. The company is stupid or incompetent, and none of the others are.
> 2. The company is honest, and others are having similar problems but
> just don't admit it.

People make mistakes, but this is quite a big one.
The part of the email that stands out to me is this:

"following a full audit of our Webmail service we identified a number of
additional security vulnerabilities that it has not been possible to
patch."

If it has taken less than two weeks worth of audit to come to this
conclusion, why wasn't this audit performed *before* the system was put
live?

I'm mostly annoyed that I normally use tagged mailboxes for *everything*.
Unfortunately on this occassion I appear to have used my personal mailbox
as the contact for an old F9 account and now after many years it is
receiving its first spam, and second, and third..etc

The thing that confuses me though is that this email address *only*
appears in the account details pages and in the ticket history. It has
never had anything to do with the webmail (no, none of the few contacts
that use that address have used the PlusNet mail service so it hasn't
been gotten that way) so surely that means that something more than just
the webmail contacts has been compromised?

This has disturbing similarities to the criticalmass incident back in
2001 :/

Allan Gould <(E-Mail Removed)> wrote:
> "This email contains important information about a problem with our
> Webmail service which may have lead to your email address being exposed
> to a spammer."

Personally, although I'm annoyed at the security breach, I would *much*
rather be told about it in an honest and open fashion, than to find out
about it the hard way, later.

Regards,
Chris

Gaz <(E-Mail Removed)> wrote:
> They have made my email address close to unusable.

Maybe your own antispam filtering needs adjusting? Although I also got
the apology email (and by implication was one of the users affected),
I've not seen a significant increase in spam anywhere except on usenet.

Chris
--
Also ex-PlusNet

In article <dm40i4-(E-Mail Removed)>, Chris Davies
<chris-(E-Mail Removed)> wrote:

>Allan Gould <(E-Mail Removed)> wrote:
>> "This email contains important information about a problem with our
>> Webmail service which may have lead to your email address being exposed
>> to a spammer."
>
>Personally, although I'm annoyed at the security breach, I would *much*
>rather be told about it in an honest and open fashion, than to find out
>about it the hard way, later.

This IS the 'hard way'. PlusNet knew about the trojan on their webmail
server on May 5 and decided not to alert customers to the security risk
until May 13. They were presumably hoping to get away with it and would
never have come clean if the related spam problem hadn't hit the fan.

Yours is an odd definition of 'open and honest'.

Stan

Chris Davies wrote:
> Allan Gould <(E-Mail Removed)> wrote:
>> "This email contains important information about a problem with our
>> Webmail service which may have lead to your email address being exposed
>> to a spammer."
>
> Personally, although I'm annoyed at the security breach, I would *much*
> rather be told about it in an honest and open fashion, than to find out
> about it the hard way, later.

Agreed.

In article <dm40i4-(E-Mail Removed)>, Chris Davies
<chris-(E-Mail Removed)> wrote:
>Personally, although I'm annoyed at the security breach, I would *much*
>rather be told about it in an honest and open fashion, than to find out
>about it the hard way, later.

Stan The Man <(E-Mail Removed)> wrote:
> This IS the 'hard way'. PlusNet knew about the trojan on their webmail
> server on May 5 and decided not to alert customers to the security risk
> until May 13. They were presumably hoping to get away with it and would
> never have come clean if the related spam problem hadn't hit the fan.

If this is correct then I would tend to agree with you.

On the other hand, I see (have seen) a lot of PlusNet-bashing and while
I have migrated away from PN, I don't see the point of sticking the boot
in. (I'm *not* suggesting that this is what you're doing. It's merely
my philosophy.)

Live and let live. If you don't like PN then move on. If you do like PN,
then hang on in there and collect your referrals.

Chris