Suspected Data Breach

I have just received a spam e-mail addressed to the one-off address I created to sign up to my Let’s Encrypt account. (Not this forum - the one used by your system to tell me about problems with my certificates such as imminent expiry.)

I therefore suspect there has been a data breach involving the theft of user data.

I just hope they haven’t stolen anything else, like certificates!

1 Like

Please contact security@letsencrypt.org (cf https://letsencrypt.org/contact/ )

3 Likes

Certificates are public information, and LE never has your private key, so they can’t possibly release that.

4 Likes

I hope this doesn’t sound rude, but are you absolutely certain you’ve never posted it anywhere?

I looked over your previous posts on this forum, and it looks like you’ve never posted it here, but what about other places?

(Or possibly deleted posts, or a different forum account…)

In particular, Certbot’s letsencrypt.log files will usually contain an account email address in a certain rather long line logged during startup.

3 Likes

This one:
# less /var/log/letsencrypt/letsencrypt.log
2019-09-03 13:33:09,949:DEBUG:certbot.main:certbot version: 0.37.2
2019-09-03 13:33:09,952:DEBUG:certbot.main:Arguments:
2019-09-03 13:33:09,954:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-09-03 13:33:10,122:DEBUG:certbot.log:Root logging level set at 20
2019-09-03 13:33:10,124:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-09-03 13:33:10,425:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x29ef758c> and installer <certbot.cli._Default object at 0x29ef758c>
2019-09-03 13:33:10,564:INFO:certbot.renewal:Cert not yet due for renewal
2019-09-03 13:33:10,566:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-09-03 13:33:10,566:DEBUG:certbot.renewal:no renewal failures
/var/log/letsencrypt/letsencrypt.log (END)
?

As I said, it’s an address I created specially for my account and it’s not on any server, only in my local folders in Claws Mail, so it’s difficult to see how it could be accessed there. The address has been used nowhere apart from setting up my user account and even this forum has a different e-mail address for me. I therefore can’t think where it could have leaked from as it simply isn’t stored anywhere else.

I must admit, it’d be rather silly of a cracker who penetrated a security-related database to give that fact away by sending spam to people who are more savvy than the typical PC user and are likely to know where the data came from, but it’s an address only used in one place and the only people I’ve ever given it to is the Let’s Encrypt security team (today). I always take care never to post information of this kind on a forum or public mailing list, for obvious reasons.

Yes, I know it could have been intercepted from a mail server somewhere en routeemphasized text** but somehow I think that’s unlikely as it’s the only address for a very long time at which I’ve started to receive spam.

The possibility of a data breach has to be at least considered, as vigilance is a key aspect of security.

2 Likes

That snippet definitely doesn’t contain your email address.

I was mainly wondering if you had posted other logs in deleted posts, or in other locations – for example, a bug report on GitHub, or on a FreeBSD support forum – and accidentally left in an email address.

I’m not doubting you, or saying Let’s Encrypt shouldn’t take your report seriously. I just want to be extra sure there couldn’t be another explanation.

3 Likes

Your email may have also been shared with EFF (separate to Let’s Encrypt/ISRG), if you agreed to the one time Certbot prompt (or perhaps inadvertently used a non-interactive flag to that effect):

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o:

1 Like

But then I’d have received e-mails from them, and I haven’t. Nor would I use the same address for two unrelated organisations.

As for bug reports, why would a bug report from any of my computers contain an e-mail address not stored by me and only present in a few incoming mails to my Claws mail client? This is not a piece of data I’m processing in any application for which I’d have a reason to post a bug.

Hi, @kjpetrie,

Thanks so much for your vigilance in noticing this and letting us know! We replied to your security@ e-mail with the details of what we found; the short version is that we did not identify any breaches or leaks from our side.

3 Likes

Maybe you can try a “subject data access” to the sender of the spam, to ask what data they have and where they came from, using the GDPR as an argument. Even spammers answers that kind of requests!

But beware: they will know it’s a real email and, if they are evil, they could harvest more data on you.

try using https://haveibeenpwned.com to see if it was leaked from elsewhere. I use one time emails myself and I find it most annoying to have them leaked, but apart from pounding on a desk there is not much you can do about it

Also check your own server someone may have access your server and scraped it from the logs, same goes for your own PC

2 Likes

The mystery is now solved and I owe Let’s Encrypt an apology! As mnordhoff suggested, the address was buried in a log file I posted on the FreeBSD forum! Unfortunately the log was printed in their forum with the overflow hidden and so it wasn’t visible at my usual window size.

However, this does raise another mystery for me to look into - there was a letter missing from the address concerned on closer inspection, and that error was duplicated in the spam address, but as this log was copied and pasted the question I now have to investigate was: why was the address in the log wrong?

Anyway, this small error, duplicated by the spammer, does indeed identify the post as the source of the address, so LE is exhonorated and I must apologise for my mistake. At least we can all rest assured there’s no problem at present.

9 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.