Equifax Data Breach in the Wild

By Chad Kreimendahl

This evening, my spam box was populated with messages to a single-use email address which I created custom for use with Equifax, years ago. I’ve now validated that this is, indeed, the first and only time I’ve ever received unsolicited email to this Equifax-only email address.  A quick search of the internet brings up no other stories of similar use. There may be a chance that this is the first proof that the data that was breached has made it out into the wild and is being used by some baddies.

I’m having a hard time believing this is just a coincidence, since it’s been years since the last communication to this address. I’m happy to have the more brilliant people confirm.

We know from reporting that names, social security numbers, email addresses, and physical addresses were taken. This confirmation of the email in the wild should be considered a terrifying confirmation that the rest is also out there, or may be soon.

Equifax Hax

How I use Single-Use Emails

I own too many domains to count. As such, I’ve utilized some of them for the purposes of account sign-ups and one-off email addresses for a very long time. It’s helped me, on numerous occasions, identify hacked or stolen private information about myself to the hacked party. The setup for this is relatively simple. I’ve created a wildcard entry for some of those domains which forward their email to a gmail box. Let’s call this domain “nospams.com.” When I sign up for an account somewhere, I’ll set my email address as something that contains their company name + a unique code. So for Equifax, it was equifax+efa82@nospams.com.

Imagine my surprise when only a few weeks after a well-reported breach, a spam message shows up to that exact mailbox. One only ever used for conducting business with Equifax.

How To do Single-Use Emails Without Your Own Domain

Most mail providers, gmail, hotmail and yahoo included, allow you to add a plus sign (+) after the account portion of your email address, and will still deliver as normal. So, if you’re a.rando@gmail.com, you can use a.rando+equifax@gmail.com, when signing up for equifax, for example,  and it will get to your inbox. That’s a quick-and-dirty way to go about discovering who is selling or losing your data. I recommend it for anyone as a great method to also help you block spam when you’ve discovered someone has sold or stolen your info.

Update: How Did This All Happen?

Here’s a great write-up on the origins of the Equifax breach. It’s not overly technical and covers most of what we suspected. An un-patched vulnerability and unacceptable passwords.

[more updates to great external run-downs will be posted here in the coming weeks]

Like What You’ve Read? Subscribe for More

Join the Onspring Insights newsletter for monthly updates from our blog.