Thursday, February 11, 2010

update on possible user database breach at instructables

i have good news for users. i've been in contact with Eric Wilhelm, CEO of Instructables, who was able to get to the bottom of the issue i previously blogged about in short order and it turns out to have not been a breach of their database after all.

Instructables uses a 3rd party service to handle their newsletters. in the past they used a company called iContact, but they switched to Streamsend 2 years ago. it appears that iContact recently had a breach of their systems which you can read more about on the iContact blog.

as such it seems likely that it was only email addresses (not other, potentially more sensitive information like credentials) that were leaked since that's the data iContact would have needed access to. further, anyone who joined Instructables after the switchover to Streamsend would not have had their email address compromised by this event. this should still serve as a reminder, however, of how important it is not to re-use your passwords as, had it actually been a breach of the Instructables user database, it wouldn't have just been your Instructables account that the attackers got access to, but also every other account where you used the same username and password.

finally, there will undoubtedly be those who question why iContact still had Instructables data after 2 years. while Mr. Wilhelm expressed regret for not insisting that data be purged, i can only imagine why iContact was holding onto data it couldn't (or rather shouldn't) use for such a long time.


Anonymous said...

Thanks for the investigation. I, too, use randomly-generated email addresses and began receiving spam from the address assigned to Instructables. I was searching for phrases like "instructables user data breach" and found your posts. Guess it's time to change the address I'm using with Instructables and throw yet another address onto the blacklist...

kurt wismer said...

you know what, thanks should really go to eric wilhelm. i said i had been in contact with him - which is true - but to be less ambiguous he reached out to me about this and did the real leg-work.