Cool Components' email database taken in apparent data breach

February 26, 2016 | 11:19

Tags: #breach #data-breach #email #insecurity #personal-data #security #spam

Companies: #cool-components

Hobbyist electronics specialist Cool Components has been hit with an apparent data breach in which persons unknown have made off with its customer email list - but the company claims its investigation has turned up no evidence of security issues.

Cool Components' customers received the first hint of a problem on the 24th of February, when a newsletter from rival company RoboSavvy tipped up in their inboxes. With no prior relationship to RoboSavvy recipients were left wondering how the company had gathered their email addresses, and those who use unique per-company addresses to sign up to mailing lists quickly found their answer: the email addresses had previously been provided to Cool Components during the ordering process.

The two companies were alerted to the problem via social networking service Twitter on the 24th, but neither responded to enquiries. Those querying the issue via email were luckier: while RoboSavvy initially attempted to claim that the addresses must have been mistyped during entry, the company began an investigation after being contacted by media regarding the issue. The result: an admission that more than 4,000 emails were mass-subscribed to the RoboSavvy database on three separate dates, but a denial of any wrongdoing. In its announcement to customers, RoboSavvy claimed that 'all these emails were added using the website and on 3 different days we have 3 different IP addresses adding them, all of the IPs are backtraced to China.'

Asked for more details via email, RoboSavvy's Nuno Gato offered two possible explanations for why a third party would mass-subscribe accounts to the company database. 'We also think that it's a very strange behaviour,' he claimed. 'There are two options: one is that we have a very good customer that wanted to offer us their database or there's someone that doesn't like us so "planted" it there so we would encounter this issues.'

Cool Components, meanwhile, has claimed that there never was a breach. In its initial brief statement via Twitter, a response to media enquiries, the company claimed 'We don't share/sell email lists to @robosavvy (competitor) or anyone else. As we're aware there is no security breach. We're investigating.' Further enquiries from customers and media were met with hostility and eventual silence prior to the publication of a blog post which states that 'after a detailed technical investigation, we can find no evidence of a data breach in our systems.'

When asked how the email addresses, uniquely and provably provided only to Cool Components, had been obtained by the third party who subscribed them to the RoboSavvy mailing list, a Cool Components spokesperson refused to answer, and the company's Twitter account has been similarly unwilling to respond to customers asking the same question.

In a bigger blow for those affected by the breach, Cool Components is also refusing to delete customer accounts upon request. One such customer, who will not be named for privacy reasons, sent an email to Cool Components asking for their account to be removed from the system. The company's response indicated that this had been done, but having not logged out of the website the customer was able to see that Cool Components had simply added a three-letter prefix to the account's email address. Using this 'new' address, the customer was still able to log in using the original account password and view all account details - including name, address, telephone number, and complete order history.

Cool Components has indicated that its investigation of the issue is complete, and its blog post is the final word on the matter. At the time of writing, it had not emailed customers to warn them of their addresses having been leaked. RoboSavvy, for its part, has removed all the bulk-subscribed emails from its list and implemented technical measures, including a CAPTCHA on the sign-up form and a confirmation email for all sign-ups, to prevent a recurrence. It too, though, has indicated via email that it considers the matter closed, and will not be investigating further to identify the party or parties behind the theft and misuse of the customer email database.

While Cool Components claims no breach has taken place, and that no payment details are stored on its systems, its customers are strongly advised to consider changing their password in case the company's assurances turn out to be hollow.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04