PSA: change your account logins

Steve Atkins steve at
Fri May 31 13:56:08 UTC 2019

> On May 31, 2019, at 2:17 PM, Richard <lists-nanog at> wrote:
>> Date: Friday, May 31, 2019 08:04:13 -0400
>> From: Jason Kuehl <jason.w.kuehl at
>> Is it possible, yes. I've seen it several times now at my place of
>> work. Targeted attacks are a thing.
>>>> Dan Hollis wrote:
>>>> Phishing scheme didn't happen.
>>>> fedex has had a number of major compromises so it's not a
>>>> stretch that their user database was stolen and sold to spammers.
> When I have looked into this type of issue for my unique addressing
> some did trace back to back-end db hacks (e.g., adobe), but I found
> that the most likely culprit was the 3rd-party bulk mailer that
> handled the organization's marketing mail. It could be a non-zeroed
> disk thrown into the trash or an inside job, but it almost always
> traced back to one or two bulk mailing companies. 

The most common issue for quite a while was malware on the windows
desktops of employees with access to the companies ESP account.

The web browser saves username and password to autofill the ESPs
web interface in a very predictable place. Malware exfiltrates that. Bad
guys compromise ESP account, download all the lists they can find
(and then start spamming on the company dime).

That's why ESPs pushed quite so hard to get multifactor authentication
of some sort adopted by their customers. But a lot of them didn't do
that (partly, I suspect, because the ESP account was accessed by
multiple employees) and even if they did that didn't stop the lists
that had already been downloaded.

Actual compromises of the ESP, or bad behaviour of it's employees,
seem to be rather rare but customer account compromise is


More information about the NANOG mailing list