• Welcome to ScubaBoard


  1. Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

    Benefits of registering include

    • Ability to post and comment on topics and discussions.
    • A Free photo gallery to share your dive photos with the world.
    • You can make this box go away

    Joining is quick and easy. Login or Register now by clicking on the button

PSA: DiveNav email data not safe

Discussion in 'DiveNav' started by guruboy, Mar 2, 2018.

  1. guruboy

    guruboy Divemaster ScubaBoard Supporter

    5,043
    802
    113
    I gave my email address to divenav. this email address is not used for anything else, ever.

    I have been receiving spam at said address.

    So they either got hacked or sold my email address.
     
  2. Bubblesong

    Bubblesong ScubaBoard Supporter ScubaBoard Supporter

    # of Dives: 50 - 99
    Location: Massachusetts
    2,474
    2,187
    113
    What kind of spam? If it is for Peppy Peter Pills, I would say they got hacked But if a business is selling their mailing lists, they usually sell it to other businesses in the same industry, scuba diving and vacations.
     
  3. TrimixToo

    TrimixToo Regular of the Pub

    # of Dives: 200 - 499
    Location: New York State
    1,022
    1,098
    113
    It could very well be that neither is true. The internet is not point-to-point. Your e-mails likely pass through a bunch of intermediate servers. Any one of them could have been used to harvest e-mail addresses, yours included, through no fault of yours or theirs. Welcome to the 2010s.
     
    DiveNav and Umuntu like this.
  4. rmssetc

    rmssetc Barracuda

    # of Dives: 100 - 199
    Location: Philadelphia
    255
    195
    43

    I reported the same issue in January. Most likely, they've got a compromised PC, where malware has harvested the addresses of recent recipients.

    Re. intermediate mail servers harvesting headers for future spam....um, as far as SMTP goes, the internet is a reasonable imitation of point-to-point, or at least [your mail client]=>[an outbound mail server that you presumably trust]=>[the desginated Mail eXchange server chosen by the recipient]=>[the recipient's mail client]. Sure. from a network point of view the traffic will pass through multiple routers along the way, but it's unlikely that they're harvesting addresses.
     
  5. Umuntu

    Umuntu Divemaster

    # of Dives: I just don't log dives
    Location: Traveller
    800
    462
    0
    My experience is different.

    I have no connection with the UAE, but my sister worked in the United Arab Emirates for a couple of years and I exchanged emails with her when she was there. Ever since, I have been plagued with business spam from UAE. This isn't crappy spam, but spam selling UAE real estate, business conferences, consulting services etc.

    I can only conclude that whichever internet service providers she used whilst she lived there were harvesting her email addresses. And then sold the addresses on. But on principle, I will never direct business to any company which spams me.
     
  6. Rred

    Rred Manta Ray

    # of Dives: 200 - 499
    Location: In a safe place
    1,058
    447
    83
    Any web connection that is not https may be intercepted, any computer may be hosting malware that harvests email addresses. Estimates used to be that 25% of all PC's (regardless of OS) were infested with malware like that.

    In theory, you can also "salt" your email address anyplace you leave it. Not all email clients or web page validators will allow this, but "the rules" DO.

    Let's say "myemail@mydomain.com" is how you'd normally give your email address.
    So when I ask for your email, you tell me it is "myemail@mydomain.com+thatguys@hisdomain.com"
    and real email clients are supposed to parse it up to the + sign and then stop there. So it functions as just your email address, but it shows and reads with the full custom address that you have put in. Making it dead certain where the address was harvested from.

    There are also some quirks, some idiots who use CC instead of BCC and publish addresses they shouldn't be publishing. And naive folks still using AOL email, because AOL does the same thing, embedded EVERY address in the text portion of forwarded emails, despite BCC being selected.
     
  7. DiveNav

    DiveNav ScubaBoard Supporter ScubaBoard Supporter

    # of Dives: 200 - 499
    Location: Southern California
    3,889
    489
    83
    We do not sell anybody email address to anyone. that is not our business model at all.

    As far as I know our site has not been hacked.

    Unfortunately spam is universal ... I even get it on my personal email account that I rarely use with anyone.
     
  8. Rred

    Rred Manta Ray

    # of Dives: 200 - 499
    Location: In a safe place
    1,058
    447
    83
    One might also point out, if an email address consists of any words and numbers that might be found in any dictionary, or any digits from a license number or date (Jimbo1988) then it will eventually be found by a dictionary attack. There are companies that get paid to run those, and then sell the results when they've succeeded.

    It has been over ten years since the major service providers (including Microsoft) all got together and said they would do something about authenticating email so unauthenticated spam could simply be blocked. Even longer since the idea of a "penny tax" was shot down. (Charge everyone a penny for each email sent, no major burden to anyone except the folks sending out 100,000 spams per day.)

    And somehow, none of the parties that can do anything, does it. They leave it to us to do whitelists and blacklists.
     
  9. rmssetc

    rmssetc Barracuda

    # of Dives: 100 - 199
    Location: Philadelphia
    255
    195
    43
    Yep.

    As I reported to Divenav on January 9, 2018, their customer data has been exposed. Last year they dismissed my report. That data is available in what is now known as the "Collection #1" data breach.

    I have again reported this to Divenav and I have urged them to contact all customers.

    This data includes email addresses and passwords.

    If you were ever a customer of Divenav, and ever used the same email account and an identical (or closely related) password on any other site, I strongly suggest that you change your password on the other sites.

    See:


    The 773 Million Record "Collection #1" Data Breach
    Collection 1 Breach -- How To Find Out If Your Password Has Been Stolen
    Nearly 773 million email accounts have been exposed in a massive data breach. Here's how to check if you were affected.
     
    Sean Walberg likes this.
  10. guruboy

    guruboy Divemaster ScubaBoard Supporter

    5,043
    802
    113
    Thanks for the update.
     

Share This Page