Vanguard joins list of companies leaking email addresses to spammers

I'm using different email address with each company I'm doing business with. Interesting to see who spammers get email addresses from. My list of companies where email addresses got compromised:

• United Airlines
  
• Vanguard
  
• Emigrant Direct
  
• Ameritrade

I'm very disappointed to see Vanguard join the list. Started getting spam to their address two weeks ago, mostly pumping some penny stocks. I've had a Vanguard account (with this address) for many many years.

Each company on the list has been notified, with the evidence. Ameritrade is the only one that has acknowledged the leak, and said that they've discovered and eliminated code allowing unauthorized access to the info, albeit several years after I first reported it to them. They've also become a target of class action lawsuit for that.

If you've experienced a similar spammer leak with another large company, especially financial one, please post (only if you're absolutely sure). Please also note that I'm talking about spam unrelated to the company, not mass mailings from the company itself that some may consider spam.

Note that these companies don't necessarily have your financial information compromised. Company's customer profile management system is probably totally separate from the system managing your money, they may be using third parties for email announcements, etc., so it's possible that the only thing compromised is the email address. Of course it's also possible that this is not the case and the leak is much deeper.

Is it possible that these companies aren't leaking your info, but it was just compromised another way (i.e. a hack into the system)? I haven't had a problem with my United or Ameritrade emails.

Whos your mail provider? They might be handing out info, or getting hacked... Spam is probably an unfortunate consequence of doing business on the internet.

Luckily my email programs/providers have good spam filters, so I only see about 1 piece of spam a month.

It would really help your cause if you spelled out the process by which you determined a company leaked your information. What kind of SPAM emails you received and from who you received them.

Not that I don't believe you it's just that detailing how you are making the determination that company X is leaking information would be helpful.

Spammers send out emails to every possible permutation on various mail clients:

A@yahoo.com
AA@yahoo.com
AAA@yahoo.com
AAAA@yahoo.com

They use distributed networks of compromised systems to do this. The reason why spammers use trojan virii is not to steal data off that computer, but instead to control it so that it can use that infected computer's hardware and internet connection to contribute to the mass of random emails it sends out.

olegos said: I'm very disappointed to see Vanguard join the list.

Email travels through the internet unencrypted. From the time a message leaves Vanguard's servers to the time it arrives at your email provider, it passes through many hands. All it takes is one compromised server somewhere along the chain--a server that may be managed by an internet service provider with whom neither you or Vanguard have a relationship--for your email address to wind up in the hands of spammers.

Could Vanguard's systems have been compromised? Certainly. Can anyone prove it at this point? No.

This is the #1 reason why I love Sneakemail. It gives you an unlimited number of addresses that are redirected to your primary email address. No one ever gets your real address and you know exactly who to blame for your email being compromised. Already saved me a couple times when good, trustworthy companies got hacked.

cleanmug said: Could Vanguard's systems have been compromised? Certainly. Can anyone prove it at this point? No.
Yes. Two other people have now independently confirmed my observation, getting the same type of spam to address with Vanguard -- one publicly here, one with a PM.

Richardsonke said: Already saved me a couple times when good, trustworthy companies got hacked.
Who?

Hats off to you, OP, for being proactive with your privacy protection.
When companies are lax with one's email addresses, they can be lax with more personal information, too. OP, who's your host for the domain you have, and do those multiple email addresses come free?

Spammers sniffing router traffic...that doesn't seem unlikely to me, either.

Oh, and someone posted about Sneakemail...that's $2/month ($24 annually, I'll pass).

Ameritrade hack was widely-publicized because it affected many people over a prolonged period of time until they admitted the problem and plugged the hole.

Until there is a confirmation from many people I would make sure your own computer is not compromised. Some malware will scan your addressbook/inbox to collect all email addresses it finds and then share it with the "mothership". So if there are emails from Vanguard addressed to your unique email address it could get picked up this way.

Unfortunately, seems that nowadays you not only need to have unique passwords everywhere but even email addresses.

kamalktk said: Well, if the email address is something like vanguard.olegos@whatever.com, spammers may have just hit on this combination.
Not the OP, but I'm certain this was not the case for me. The e-mail address is at my own domain, and I run the e-mail server for the domain from my house. Unfortunately, I did not use an e-mail address specific to Vanguard, so I can't be sure they are the source from which my e-mail address was harvested.

The three e-mails I have received claim to be from "Stock Market Wizards" or "Your Stock Alert" (but with very different e-mail addresses), all have the subject, "The train has left the station but it's not too late to look at this stock!", and were all pumping UNLA.

chimeer said: olegos said: kamalktk said: olegos said: I didn't mean to imply that companies are doing this intentionally, and in fact I think this possibility is extremely unlikely.Your thread title certainly seems to say that you do. "Vanguard joins list of companies leaking email addresses to spammers"Really, the word "leak" has that kind of connotation? I admit that since English is not my primary language I may be missing it. But it seems to me that when say "a jet is leaking fuel" it doesn't imply that someone intentionally punctured its fuel line. Checking m-w it seems that "leak" is exactly the word I want: "to enter or escape through an opening usually by a fault or mistake". There's Vanguard's fault in not safeguarding the information, but I don't think there's an active intent to provide the info to spammers.Generally when a company or government agency is said to have a leak people are referring to an intentional dissemination of confidential information by a member/employee of the organization (without official/legal permission to give out the information). It's not something that would show up in most dictionaries so I can understand the confusion especially if English isn't your first language.I think the OP used the word "leak" as a technical/computer term, as in "memory leak." The title makes perfect sense to me (but I'm a computer guy).

olegos said: Richardsonke said: Already saved me a couple times when good, trustworthy companies got hacked.
Who?

Some of the companies included Microsoft (TechNet Subscription), Dominos, HomeAgain (pet RFID), edocr, and Nimbuzz. These are not small name companies and I'm 90% sure the address thefts were due to hacking of a marking company, rather than the original company. So, when you give someone your email address, you have to trust them AND whatever marketing company they may pick now or any time in the future.

mowo said: It seems many firms use an email marketing companies and those can get hacked. Here's a posting about one such case
Here's another: here and here (AWeber).

this whole thread reaks of libel

olegos said: michal1980 said: this whole thread reaks of libel
Before throwing words like that around, you should educate yourself: "Under the United States law, a statement cannot be held to be slanderous or libelous if it is true" (I'm sure you'll be able to find a similar cite elsewhere, if you try). I have proof for what I said.

Oh ya, your statments that Vanguard and others are now leaking emails is now 'proof'

olegos said: michal1980 said: Oh ya, your statments that Vanguard and others are now leaking emails is now 'proof'
My statements here obviously are not proof. Sounds like you need to work on your reading comprehension as well as understanding elementary concepts of U.S. law. Any company that thinks I slandered them can sue me and find out if what I have is proof.

Is it your understanding that nothing bad can ever be said publicly about a large company?

coming out and saying Vanguard leaks emails to spammers is more then saying something bad publically.

I understand us law. The question is do you? You have actual proof that Vanguard leaked emails to spammers? Or just assuming such because one of your random emails all of a sudden got spam? So you link the two?

I don't have an address specifically for Vanguard, but I do have one that I use only for financial institutions. About a week ago it started getting penny stock spam. I was wondering which of my FIs leaked it.

tripleB said: Spammers send out emails to every possible permutation on various mail clients:
This may be true for the big mail services, but doesn't explain how they wound up with my address which is on my own domain.

Edit: To be explicit, like others have reported, I'm getting mail from "Stellar Stocks" and "Stock Market Wizards" with return addresses at diziterminal.com and financecertificate.us. If it's all a coincidence that we started getting this spam around the same time, it's an awfully big coincidence.

I started getting a few stock tip spam emails about ten days ago. They were sent to the same address that Vanguard (and some others) has on file for me. After I tweaked my webmail spam settings, these emails are going into the spam folder. Sending addresses were actually from financecertificate.us, diziterminal.com, and arssan.com but usually read from 'Your Stock Alert' or 'Stellar Stocks'.

I've started recently getting stock spam as well from stocks@azragor.com. I'm guessing they were probably leaked by a Vanguard vendor (i.e. the company that does their marketing emails) rather than VG itself, though of course I have no proof of that.