Somebody leaked launchpad email db

Asked by Dan Dreifort on 2017-04-21

I logged into launchpad.net a couple of times a while ago, to test it. I setup a unique forwarder address: launchpad@mydomain used only with the launchpad account.
I just started getting spam to that email address. I went with another project management system, so I'm shutting down that email address and won't see your replies here. Just thought somebody might like to know that either the launchpad email db isn't secure, or it was sold/given away to spammers. I've included the headers below, in case that helps.

Return-Path: <email address hidden>
Delivered-To: [REDACTED]
Received: from [REDACTED]
Return-path: <email address hidden>
Envelope-to: launchpad@[REDACTED]
Delivery-date: Fri, 21 Apr 2017 14:41:02 -0500
Received: from funktion.fm ([216.51.232.227]:45917 helo=racolage.xxx)
 by[REDACTED]
 (envelope-from <email address hidden>)
 id 1d1eQO-000LBR-Vc
 for launchpad@[REDACTED]; Fri, 21 Apr 2017 14:41:02 -0500
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1])
 by racolage.xxx (Postfix) with ESMTP id 026643061A46
 for <launchpad@[REDACTED]>; Fri, 21 Apr 2017 15:40:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=racolage.xxx; s=mail;
 t=1492803647; bh=CGg6gwQuG4AlN1PxwwaI3L4peehXDm8TjxZ1JWyOZMI=;
 h=From:To:Subject:Date:From;
 b=LtrrI7ltrMzcgCcjS87CJpOrMtd6IBpjRbCWSlTkUd81roJJZfY0ozLvBKJLtL2iG
  /6lUoa+aCpgRm6lv3hv8vU4x4OPBvMZzGOWcc1H8toy1o/C9XlKM6GP7SChj/dBDSz
  c9IqIGFvXUoPjht6liBesoSBS7RId8EojV/EglVY=
Content-Type: multipart/mixed;
 boundary="----sinikael-?=_1-14928036469990.36846745768073275"
From: =?UTF-8?Q?racolage=2Exxx_=E2=9B=85_=E2=9A=A1?= <email address hidden>
To: launchpad@[REDACTED]
Subject: AUDIO TRACK #1 | Contact Person - Your Email Address Was Selected
Message-ID: <email address hidden>
X-Mailer: nodemailer (2.7.2; +https://nodemailer.com/;
 SMTP/2.7.2[client:2.12.0])
Date: Fri, 21 Apr 2017 19:40:46 +0000
MIME-Version: 1.0

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
2017-04-21
Last reply:
2017-04-21
Dan Dreifort (r-launchpad-u) said : #1

...or is it possible a bot just crawled launchpad user pages?
Are email addresses publicly accessible?
If so. Lame.
Regardless, there's something to fix here.

Colin Watson (cjwatson) said : #2

You didn't select the "Hide my email addresses from other Launchpad users" option (on https://launchpad.net/~/+edit), so all it would take would be a crawler with an otherwise-unprivileged Launchpad account.

(Perhaps there is a case for changing the default value of that option for new accounts. I wasn't around when the current default was chosen.)

I just got the same email. I too have an email address like <email address hidden> and I checked the box "Hide my email addresses from other Launchpad users". The fact that it is the first Spam email to this address and that the account exists for many years suggests that this address is not publicly available.

It looks like someone from racolage.xxx got access to Launchpad's email database. Not cool...

Colin Watson (cjwatson) said : #4

Thanks for letting us know. There are of course likely possibilities other than a full-scale DB intrusion, such as a compromise of an email host or a network compromise somewhere along the path that email from Launchpad takes to reach you, or even just an email to somebody else that discloses your email address when it shouldn't have done. But I've asked for an intrusion check just in case.

You could run a WHOIS search for that domain. Maybe the name of the domain owner or his Github handle "sebpiq" rings a bell.

Colin Watson (cjwatson) said : #6

Thanks, I'd already found that sort of thing.

Can you help with this problem?

Provide an answer of your own, or ask Dan Dreifort for more information if necessary.

To post a message you must log in.