I'm a long time DO customer (and recent shareholder). And I received a copy of this email from DO this morning.
I'm beyond frustrated by this. Among other things, this leak correlates my email address to billing location. AKA, where I fucking live.
Unlike other breaches that simply leak a password, credit card, where I live is pretty static. So, now I have to accept the fact, that unlike before, my darkweb profile will include my physical address. Fucking great.
For the future, get PO Box address that works as a regular address (UPS offers this for example), and use it with all the banks and literally everywhere - anyone may get hacked and leak your address...
I prefer a virtual mailbox (like iPostal1). You can view your mail from anywhere and choose to have individual mail sent to you anywhere in the world. PO box is not convenient.
I did not find anything about the security of scanned documents or how they are destroyed on the iPostal1 website. Have you inquired about how they handle their digital document security?
This is way worse than it seems. With name, address, and last four credit card digits, there’s a very real threat that your other accounts can be hacked either by forgot-my-password or social engineering.
It's not very damaging though. What good is `the last four digits` of a credit card? Also: Although PII was leaked, how useful is that, when previous breaches have exposed half the planet already? If I want someone's SSN to do identity theft, then I can access that very readily and easily in other breach corpuses, and they don't need to be in this breach.
It would be useful for social engineering, though I'd hazard a guess that a lot of DO customers are going to be more aware of that kind of thing. I've seen email and phone scams where the scammer gets info from a data leak and uses it to lull the target into a false sense of security before trying to extract more useful information.
"Hi, I'm calling from Bank of America about your debit card ending in XXXX. We've noticed some suspicious activity. Did you make a purchase for $200 at SomeOutlandishlyExpensiveStore? Oops, I need to verify your identity first? Can you give me your SSN?"
There you have two pieces of not-very-public information from the leak, and some bait to incite a little bit of panic, which might impede their judgement enough that they won't be too suspicious.
"Hello Joe Smith. This is amazon. We had an issue processing your card ending in 1234. Please send us and updated credit card details or we will have to close your Amazon account."
Something along those lines. Someone more creative could craft a better message.
“Who cares about PII leaks when there have been other breaches” is a weak argument.
Aside from being helpful for phishing, leaking the last 4 is enough for the issuer to pull the card, which is a major annoyance if you have other things billed to that card that will now all need to be updated.
I'm beyond frustrated by this. Among other things, this leak correlates my email address to billing location. AKA, where I fucking live.
Unlike other breaches that simply leak a password, credit card, where I live is pretty static. So, now I have to accept the fact, that unlike before, my darkweb profile will include my physical address. Fucking great.