Borders Leaks...

august 5, 2007

If you are smart, you create disposable email accounts for each website or online service that requests an email address from you (Yahoo! Mail Plus has a great disposable email address tool). This way if you ever get spam into one of these addresses, you know which website or company had leaked your address out. I signed up with Borders Rewards a while back using a disposable alias [email protected] (don't bother sending email to it now, I have shut off that alias). I figured, it is Borders, I can trust them.  But, still I want to use a disposable email alias -- just in case. In the past few weeks, I have been receiving a lot of spam to the alias. I was pretty pissed, this meant only one thing: Someone at Borders had leaked email addresses out into the public -- breaking their own privacy policy; and showing that either Border is a bad corporation or there is a serious security hole with their back-end systems. Either way, I was annoyed that a large corporation like this would have leaked out an email address that I used only once to sign up for an account with their rewards program. So, I wrote a complaint letter on their website to let them know about my frustration. What I got back from Borders was even more frustrating and silly:

It has come to our attention that customers who have the word "Borders" in their e-mail address have been receiving spam. Please be assured that the e-mails did not originate from Borders Group, nor does it appear that your e-mail address was obtained from any records that we maintain. Spammers are able to use the word "Borders" as a means to send spam e-mails to anyone whose e-mail address includes this word. We recommend changing your e-mail address so that it does not include the word "Borders." While Borders Group had no role in this incident, we do understand that it has caused you frustration and concern. We apologize for this and want to assure you that we are doing all we can to get to the bottom of the issue and remedy it.
So, what they are trying to tell me is that some spammer had used the word "borders", then randomly guessed and tacked on "rewards", a hyphen and "email" to my domain name? That's quite a stretch if you ask me.  What I think happened was that some disgruntled employee inside Borders left the company and took along with them a list of email addresses -- to which they sold off to some spammer. I really do like how Borders made it expressly clear that they "had no role in this incident" (please, please see the sarcasm in the last sentence).  I wrote back telling them that it was more than one incident, as spam continued to roll into the email alias until I shut it off.  I created a disposable address at Yahoo! Mail Plus (it contains random numbers, letters and no full words) that I have used with my Borders Rewards account.  If that one starts getting spam, I will for sure know that they have some serious security problems which need to be addressed -- since one one can randomly generate the 33 random letters and numbers (and one hypen) I used to make that disposable address. Boo on Borders.