Still getting mail from a leaked database


A famous pizza chain in Australia had their customer account database stolen a few years ago. I was living in Mascot with Clara at the time, a suburb just south of Sydney. I was lucky that I never use my real name on these services, and I use one-off passwords with KeePassXC which you should also use because its great.

Years later I still get regular emails like this:

Subject: Jeff, Mascot?

are you in Mascot?

These kinds of social engineering attacks are far more dangerous than general spam. Your location is a piece of information an attacker would need to know in advance, which unsuspecting or trusting email users could interpret as adding legitimacy. Like my hat.

A related, widely-discussed scam involves sending a leaked password you once used to scare you into sending them money:

Some time ago your computer was infected with my private software, RAT (Remote Administration Tool). I know your password is ce#Dz!7oy]m(Fc$. My malware gave me access to all your accounts, contacts and it was possible to spy on you over your webcam.

This is unrelated, but I thought it was funny that my long passphrase of gibberish was truncated with the first dollar sign. Some suspect scammer’s software must have alliterated parsed it as regex.

Next time you have another video call or catchup with family, it might be a great opportunity to bring up what they know about email and web scams. Education is our best defence against these kinds of attacks. Attackers making mistakes may be #2.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.