How Not To Capitalize On A Security Compromise

OK, Gawker got owned. We get it.  A family of major media sites suffered the data theft of an estimated 1.5 million user records (usernames and poorly-protected passwords), with unknown impacts beyond that.  They didn’t notify users in a very timely fashion, and there is an air of “too little, too late” around their response to and FAQ about the incident.  Bad on them.  But, if you’re like Dru Wynings, you’re probably asking yourself “Self, how can I take this security compromise, and make some dolla dolla billz for *ME*?

You see, Dru is apparently the founder of a site called “hint.io”.  This morning, a large number of Gawker users received an unsolicited e-mail from a “teamhint” e-mail account belonging to hint.io.  The site itself is devoid of any meaningful content or explanation of what the company does or is supposed to do.  They may as well claim to synthesize a methylated alkaloid.  See a redacted version of the message I received below.

The e-mail has three tracker-laden links to hint.io’s site and one tracker-laden image.  (See redacted tracker URL to the left.)  You see, Dru decided to capitalize on Gawker’s compromise by acquiring the stolen data, then sending a a marketing e-mail blast to victims – how clever!  Under the guise of a “good samaritan”, his company is now building a massive database of valid e-mail addresses owned by gullible users who like to click shady links in unsolicited e-mail.  Great work, Dru!

In the age of phishing and it’s targeted derivatives, sending vague e-mail messages like this one is incredibly irresponsible.

If Dru was truly a good samaritan, he’d have taken the high road and not sent such a vague, bashing email to people that should have a heightened sense of security right now.  If nothing else, he’s have disclosed his intentions in the e-mail spam, not used click-tracker URLs in the message, and been more up front about the fact the he was using stolen data to make an independent, third-party breach notification.  The praise that has been doted on him for this deed is woefully misplaced.  His actions were unethical at best, criminal (taking stolen property) at worst.

Bad move, Dru.  Maybe you should send another message out apologizing for your carelessness and malice.  You should also purge your systems of all data collected by this underhanded method.

Update 1: Dru responded to my tweet, deferring responsibility for the click-tracked URLs to his “e-mail provider”.  I then implored him to be more transparent about his company’s shady moves in this mess, but have not received a reply.
In other coverage, Jonathan Kamens has a very well-written summary sharing the view that hint.io did absolutely nothing right.

3 comments

  1. @wikifreak – you’re correct. I mistakenly uploaded TIFF files instead of JPG. I’ve converted and re-uploaded them. Sorry for the error.

Leave a Reply to Phil Cancel reply

Your email address will not be published. Required fields are marked *