Thursday, February 11, 2010

user database breach at instructables?

many have at least heard the advice to use unique passwords at every site they visit. well i go a few steps beyond that. not only do i use unique randomly generated passwords at every site, i use unique randomly generated email addresses at each site too.

that probably sounds like overkill, but consequence for me (besides knowing exactly which sites are spammy) is that the older identities collectively form a kind of honeypot for detecting user database breaches.

it was as a result of my address for receiving spam that i realized (and later verified) that something untoward had happened there and so it is that today i'm going to come out and say that something fishy is going on over at

a unique, randomly generated email address (basically a secret shared between only myself and instructables) that is unguessable (there are approximately 4.7x10^18 possible values so the chance of them guessing one of my 200 or so addresses is so small that if they guessed 1 million times a second it would still take on average 375 years before they got one) should only be usable by those who know it, so the fact that i'm receiving drug spam at this email address tells me that somehow the user information they had in their database for my account has been leaked.

*update*: it appears i miscounted the number of characters in the email address and thus my probability calculations are off. there's only 1x10^14 combinations, which means that at a million guesses a second someone could get expect to guess one of mine in (on average) about 3 days. i'm not convinced that sort of brute forcing operation is going on, however (it seems like it would be too much work for too little benefit).


Sic said...

right that's instructables, ethicalhacker and another email to get shot of. thanks for sharing.
This site is a welcome, useful and entertaining edition to my RSS