Epsilon Email Breach: What You Should Know
Millions of email addresses exposed by hackers.
April 4, 2011 -- If you're a customer of Walgreens, Best Buy, Citigroup or one of several other major U.S. companies, you might want to put your email inbox on high alert.
Over the weekend, those retailers were the latest on a growing list of big-name businesses to warn customers that computer hackers may have accessed their email addresses and names. All of the companies work with the Dallas-based online marketing firm Epsilon, which said Friday that its system had been breached, potentially exposing it's corporate clients' customer information.
When reached by ABCNews.com, a spokeswoman said she was unable to comment as the company conducts an investigation and cooperates with authorities. But in its statement, Epsilon, which sends 40 billion emails annually on behalf of more than 2,500 clients, said a subset of its' clients customer information was compromised in the data breach.
"The information that was obtained was limited to email addresses and/or customer names only," the company said. "A rigorous assessment determined that no other personal identifiable information associated with those names was at risk."
Affected Customers Could See More Spam, Phishing Attacks, Experts Say
J.P. Morgan, Kroger's, Capital One Financial, Barclay's Bank, The College Board and TiVo are among the companies to acknowledge that their customers' data may have been accessed by hackers. (For an up-to-date list of confirmed companies affected by the attack, check out SecurityWeek's list here.)
While security experts say hackers are usually interested in more sensitive data than people's names and email addresses, they still warn that affected customers should be extra careful with their email.
Graham Cluley, a senior technology consultant with the security firm Sophos, said that although the Epsilon breach appears to have hit many well-known companies -- and their millions of customers -- at least the hackers didn't run away with credit card information or home addresses, which could be used to commit identity theft or make unauthorized purchases.
Customers with compromised email accounts could expect a surge in annoying spam to their inbox, he said, but the hack could have more insidious effects, too.
"The biggest danger here really is that spammers could then target you with email pretending to come from these organizations," Cluley said. "You might get fooled into being phished for your log-in information or being sent malware or a dangerous Web link."
Hackers Could Use Stolen Email Addresses Months Down the Road
Now that the hackers have a treasure trove of verified email addresses, they could use them themselves or sell them on the black market, he said.
Even months down the road, customers could get an email masquerading as a message from their bank or credit-card issuer containing poisonous Web links. Once clicked, those links could install malicious code on their computers or try to trick them into giving up valuable information, such as credit card information or log-in data to their banks or social media accounts.
To keep your personal information protected, experts say you should be wary of unsolicited messages, especially those with attachments and that ask you for information. Cluley said it's important that if you receive an email from a company (even one that you do business with) that contains a Web link, don't click on it. Instead, go to the website directly and log in from there.
"It's a pretty ugly situation from that point of view," he said. "But, at the same time, thank goodness this isn't credit card information."
The Associated Press contributed to this report.