I noticed that a well-known store's customer database quite definitely got compromised.
A Dedicated (or Disposable) Email Address (with a unique suffix only given to that store) started receiving SPAM once in a while, after I placed an order with them.
Suggestions?

Do nothing and let it be?

Tell them directly?
But then they may keep it under wraps and those responsible might never learn their lesson.
The only way for someone to learn a lesson is by getting consequences, and for a company that means loss of revenue and someone's backside catching flak.

Make it public?

Other?

I noticed that a well-known store's customer database quite definitely got compromised.
A Dedicated (or Disposable) Email Address (with a unique suffix only given to that store) started receiving SPAM once in a while, after I placed an order with them.
Suggestions?

Do nothing and let it be?

Tell them directly?
But then they may keep it under wraps and those responsible might never learn their lesson.
The only way for someone to learn a lesson is by getting consequences, and for a company that means loss of revenue and someone's backside catching flak.

Make it public?

Other?

What makes you think the DB is compromised? They could have sold your info. to a third party.

What makes you think the DB is compromised? They could have sold your info. to a third party.

It's getting low grade SPAM (amazing deals on software, xxx), not something from a decent third party.
Don't see anyone in the right frame of mind selling it to those kinds of marketers - if they sold it, it would've been something more reasonable.
And even if they did - effectively the same thing, except compromised willingly.

Tell them directly. In the unlikely event that their database actually has been compromised, that gives them the chance to fix it. You can always go public later if they don't do the right thing, whatever that is.

But it's also quite possible the compromise is on your end... there's lots of malware out there that will harvest email addresses from your computer, including sent mail, invoice documents etc.

Tell them directly. In the unlikely event that their database actually has been compromised, that gives them the chance to fix it. You can always go public later if they don't do the right thing, whatever that is.
That's what I was thinking more or less.


But it's also quite possible the compromise is on your end... there's lots of malware out there that will harvest email addresses from your computer, including sent mail, invoice documents etc.
I would've seen this with other similar addresses, but I haven't - this is what makes Dedicated Email Addresses worthwhile - you always see where it leaked.

Come to think of it, there are a zillion ways to have data leaked -
* An employee of the store (e.g. a manager, not being particularly savvy) was getting email notifications for orders, and they got their computer infested with malware
* Same employee got a new computer or hard drive, and threw the old one out to the curb without wiping
* A server or a backup getting similar treatment

The end result is the same - I gave them an email address, and it hit the streets. Wonder what else was leaked.
(I did also get some credit card fraud recently - a slight chance it might be related too)

I noticed that a well-known store's customer database quite definitely got compromised.
A Dedicated (or Disposable) Email Address (with a unique suffix only given to that store) started receiving SPAM once in a while, after I placed an order with them.
Suggestions?

Doesn't mean anything. Spammers try dictionary attacks, with multiple similar combinations. I have received spam to my domain names to addresses which don't even exist, other than in a <anything>@domainname.com situation.

Is it possible they sold it to a third party, or it was compromised? Certainly possible. Is it guaranteed? Nope.

Notify the company. See what they say from there.

On a side note, for those who aren't aware, Gmail allows you to create disposable email addresses on the fly by appending "+anything" after your username in your email address (ex. username+rfd@gmail.com or username+contests@gmail.com). It is a good way to easily filter messages. The downside is some systems will not accept email addresses with a "+" in them.