http://www.salonmagazine.com/21st/?st.ne.fd.mnaw
Password spamming:
The latest Web marketing trick
When Web companies make deals, sometimes more
than cash changes hands.
- - - - - - - - - - - - - - - - - - - - -
BY ANDREW LEONARD | Normally, I delete spam almost before I read it. But
the unsolicited e-mail message that I got Monday morning from
"theglobe.com" froze my index finger over the delete key right in its
tracks. This particular spam, announcing that I now had a "FREE VIP
Membership to theglobe.com ... your friendly full-service integrated
online community," included my username -- and a password that I regularly
use on other sites, like the New York Times and the Wall Street Journal.
I had never visited theglobe.com, one of the handful of companies
attempting to strike it rich by offering free home pages to the general
Web-going public. But they had somehow gotten their paws on my password.
By their own admission, theglobe.com had screwed up. Vance Huntley, the
chief technical officer for theglobe.com, has a reasonable explanation for
how the "glitch" occurred as part of a deal with Advertising Age
Interactive -- a site I'd registered for nearly three years ago. But even
if this incident was an unintentional blunder, it should send a loud
warning through cyberspace: In an era of frenzied consolidation and
spaghetti-like cross-marketing deals, private passwords are less secret by
the day.
What happened? According to Huntley, theglobe.com had been providing Ad
Age Interactive with "interaction services" on the Ad Age site, including
a chat room interface and other functions. As part of a recently concluded
deal between theglobe.com and Ad Age, Ad Age apparently requested that its
subscriber base be registered en masse at theglobe.com, so that each user
wouldn't have to re-register to enjoy the perquisites of theglobe.com
membership. (Advertising Age representatives had not answered phone
messages and e-mail by our deadline.)
Normally, says Huntley, every time new users come to theglobe.com and
register, they receive immediate e-mail notification that includes their
new username and password. This is standard practice for many Web sites
that require registration. In this case, however, the mass registration of
Ad Age subscribers -- which occurred without the knowledge or express
permission of those subscribers -- triggered off a bulk e-mailing to
"thousands" of users, who had no idea their passwords had been passed from
one company to another.
"As part of our arrangement, when an Ad Age user came to theglobe.com,
they wouldn't need to provide their information again," says Huntley. "At
least that was all in the plan. What I would assume is that Ad Age did
not ask for the bulk mailing."
"The really annoying part of this from my perspective is that the members
of Ad Age tend to be a fairly technically savvy crowd," says Huntley.
"We've been getting all kinds of interesting commentary."
Huntley said that he'd received about half a dozen calls about the
password spam on Monday. And he sympathizes with their concerns.
"I hate getting unsolicited mail of any kind," says Huntley, "and it has
always been our policy to say, hey, you're getting this mail because you
typed your e-mail address into our Web site. This was an editorial
oversight, but it has had bad repercussions. I think that it would have
made a lot more sense to indicate to users what was going on. But alas,
the mail has gone out."
"What we highlighted here is that we are not as sophisticated about it as
other operations might be," says Huntley. "Had this been the 20th time
we'd done this, perhaps there would be standard operating procedure to
deal with this eventuality. This is the first time we've had anyone call
and complain about this kind of issue. I think there are other folks doing
it a lot more and that they have procedures in place to deal with it."
And there's the real problem. How often is this kind of mass
re-registration of subscribers going on in the Web world? In the offline
universe, mailing lists get bought and sold with increasing frequency. But
private passwords? Is such user information being traded between companies
-- and how often is it being used? Just think of one potentially
disturbing possibility: Microsoft recently bought Firefly, the owners of a
database far larger and more detailed than Advertising Age's. Microsoft
now has access to all Firefly user preferences, not to mention their
passwords.
Of course, Microsoft is probably smart enough not to send a bulk e-mailing
to all those users that included their passwords printed in plain text.
And they shouldn't. On the other hand, at least such blunders let us know
what companies are up to with our information. Do you know where your
password is tonight?
SALON | June 2, 1998
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Jun 2 11:40:37 1998