PSA: DiveNav email data not safe

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

guruboy

Divemaster
ScubaBoard Supporter
Scuba Instructor
Divemaster
Messages
5,180
Reaction score
844
Location
Palo Alto,CA
I gave my email address to divenav. this email address is not used for anything else, ever.

I have been receiving spam at said address.

So they either got hacked or sold my email address.
 
What kind of spam? If it is for Peppy Peter Pills, I would say they got hacked But if a business is selling their mailing lists, they usually sell it to other businesses in the same industry, scuba diving and vacations.
 
It could very well be that neither is true. The internet is not point-to-point. Your e-mails likely pass through a bunch of intermediate servers. Any one of them could have been used to harvest e-mail addresses, yours included, through no fault of yours or theirs. Welcome to the 2010s.
 
I gave my email address to divenav. this email address is not used for anything else, ever.

I have been receiving spam at said address.

So they either got hacked or sold my email address.


I reported the same issue in January. Most likely, they've got a compromised PC, where malware has harvested the addresses of recent recipients.

Re. intermediate mail servers harvesting headers for future spam....um, as far as SMTP goes, the internet is a reasonable imitation of point-to-point, or at least [your mail client]=>[an outbound mail server that you presumably trust]=>[the desginated Mail eXchange server chosen by the recipient]=>[the recipient's mail client]. Sure. from a network point of view the traffic will pass through multiple routers along the way, but it's unlikely that they're harvesting addresses.
 
Re. intermediate mail servers harvesting headers for future spam....um, as far as SMTP goes, the internet is a reasonable imitation of point-to-point, or at least [your mail client]=>[an outbound mail server that you presumably trust]=>[the desginated Mail eXchange server chosen by the recipient]=>[the recipient's mail client]. Sure. from a network point of view the traffic will pass through multiple routers along the way, but it's unlikely that they're harvesting addresses.

My experience is different.

I have no connection with the UAE, but my sister worked in the United Arab Emirates for a couple of years and I exchanged emails with her when she was there. Ever since, I have been plagued with business spam from UAE. This isn't crappy spam, but spam selling UAE real estate, business conferences, consulting services etc.

I can only conclude that whichever internet service providers she used whilst she lived there were harvesting her email addresses. And then sold the addresses on. But on principle, I will never direct business to any company which spams me.
 
Any web connection that is not https may be intercepted, any computer may be hosting malware that harvests email addresses. Estimates used to be that 25% of all PC's (regardless of OS) were infested with malware like that.

In theory, you can also "salt" your email address anyplace you leave it. Not all email clients or web page validators will allow this, but "the rules" DO.

Let's say "myemail@mydomain.com" is how you'd normally give your email address.
So when I ask for your email, you tell me it is "myemail@mydomain.com+thatguys@hisdomain.com"
and real email clients are supposed to parse it up to the + sign and then stop there. So it functions as just your email address, but it shows and reads with the full custom address that you have put in. Making it dead certain where the address was harvested from.

There are also some quirks, some idiots who use CC instead of BCC and publish addresses they shouldn't be publishing. And naive folks still using AOL email, because AOL does the same thing, embedded EVERY address in the text portion of forwarded emails, despite BCC being selected.
 
I gave my email address to divenav. this email address is not used for anything else, ever.

I have been receiving spam at said address.

So they either got hacked or sold my email address.
We do not sell anybody email address to anyone. that is not our business model at all.

As far as I know our site has not been hacked.

Unfortunately spam is universal ... I even get it on my personal email account that I rarely use with anyone.
 
One might also point out, if an email address consists of any words and numbers that might be found in any dictionary, or any digits from a license number or date (Jimbo1988) then it will eventually be found by a dictionary attack. There are companies that get paid to run those, and then sell the results when they've succeeded.

It has been over ten years since the major service providers (including Microsoft) all got together and said they would do something about authenticating email so unauthenticated spam could simply be blocked. Even longer since the idea of a "penny tax" was shot down. (Charge everyone a penny for each email sent, no major burden to anyone except the folks sending out 100,000 spams per day.)

And somehow, none of the parties that can do anything, does it. They leave it to us to do whitelists and blacklists.
 
I reported the same issue in January. Most likely, they've got a compromised PC, where malware has harvested the addresses of recent recipients.

Yep.

As I reported to Divenav on January 9, 2018, their customer data has been exposed. Last year they dismissed my report. That data is available in what is now known as the "Collection #1" data breach.

I have again reported this to Divenav and I have urged them to contact all customers.

This data includes email addresses and passwords.

If you were ever a customer of Divenav, and ever used the same email account and an identical (or closely related) password on any other site, I strongly suggest that you change your password on the other sites.

See:


The 773 Million Record "Collection #1" Data Breach
Collection 1 Breach -- How To Find Out If Your Password Has Been Stolen
Nearly 773 million email accounts have been exposed in a massive data breach. Here's how to check if you were affected.
 

Back
Top Bottom