"Documents for Brian Boll" spam emails - Cactus Nav security breach? (Cactus Navigation)

[KompetentKrew]

Hello,

Just a heads up about the email you may have received, allegedly from a recruiter (Michael Page International UK Recruitment) with a link that says "DOCUMENTS for Brian Boll" - don't click on this, as it's a spam site or may attempt to download a virus.

I received this email to an address of the format cactusnav.com@my-domain.co.uk - i,e. it's an address I gave to Cactus Navigation when I bought a bilge pump from them in June 2019, and it's an address I have given to no-one else, so I assume that others here may be affected.

 

[Gwylan]

Cactus seem to have sloppy security or a pissedoff employee.

Used a unique address for them and got all sorts of tosh coming through.

Since I am unlikely to buy from them I shut the address and treat their emails as spam..
No way of knowing what amazing offers I might have missed.

 

[scruff]

I received this email to an address of the format cactusnav.com@my-domain.co.uk - i,e. it's an address I gave to Cactus Navigation when I bought...

Please forgive the thread drift - but that seems a brilliant idea. How would one go about replicating you email domain set up?

 

[prv]

Please forgive the thread drift - but that seems a brilliant idea. How would one go about replicating you email domain set up?

If you own a domain, you can set up whatever addresses you like there. You can either set it so that <anything>@your-domain.co.uk ends up in a single catch-all (also known as "postmaster") mailbox, or create a new address specially each time you need one. Supposedly catch-alls are not recommended nowadays, but I've been doing it for twenty years and have far too many addresses out there to try to retrospectively set up aliases for them all. Plus I'm lazy.

You set this stuff up in the control panel for your domain and/or mailbox host, which will all vary.

Pete

 

[KompetentKrew]

If you own a domain, you can set up whatever addresses you like there. You can either set it so that <anything>@your-domain.co.uk ends up in a single catch-all (also known as "postmaster") mailbox, or create a new address specially each time you need one. Supposedly catch-alls are not recommended nowadays, but I've been doing it for twenty years and have far too many addresses out there to try to retrospectively set up aliases for them all. Plus I'm lazy.

You set this stuff up in the control panel for your domain and/or mailbox host, which will all vary.

The good thing about setting up individual addresses is that you can just disable them when you start receiving spam to them, as I will now disable my cactusnav.com@… address (just going to keep it up a day or two more to see if an apology is forthcoming).

Presently I'm with 123-reg and set up each address as a forward to another mailbox, from one of the free providers, but I can no lone recommend them as their interface for managing email addresses has become much slower since they revamped it a year or so ago.

I also now keep a couple of addresses for "disposable" use, using each for a year or two before moving onto the next one - e.g. abc-2018@mydomain.co.uk and 2019xyz@mydomain.co.uk; when I open an x2021x@mydomain.co.uk address I shall delete the 2018 one. I use these when I'm in a hurry or can't be bothered to create a new address.

 

[KompetentKrew]

Let me add that this practice with regard to email addresses once exposed a security flaw in Marine Super Store's website. I emailed them about it and they had the developers fix it the same evening. I see now that I emailed them at 4:33pm and received an apology from the managing director at 9:25 the next morning. IMO this is gold standard of responsiveness.

 

[adwuk]

I'm pretty sure that Cactus had their site hacked at the end of 2020, and they sent out an email about it advising people to change their passwords. Clearly whatever was stolen (i.e. email addresses) has now been sold on.

 

[Yorkshire Exile]

I received this from Cactus 23/12/20:

Dear Customer,
In the last 48 hours we have been made aware of a possible databreach on the Cactusnav website involving email addresses and passwords.

After conducting a full security investigation with our ISP who hosts the website, and implementing further security upgrades, we notified the technical team at the ICO under our GDPR obligations.
They have assessed the possible breach as low risk as all customer account passwords for our website are fully encrypted, however, I would encourage you to change your password as a precaution, particularly if you use the same password for other sites.

Although we are a small business, Cactus takes customer privacy and data security extremely seriously and can assure you we NEVER share customer information to outside parties, and DO NOT store customer’s financial data credit cards, bank details or PayPal information etc.

I am very sorry for any inconvenience and concern this may cause, please feel free to contact our head of IT David Williams (david.williams@cactusnav.com) if you require additional information or wish to discuss this further.

Best Regards

Andrew Smythe
Managing Director
Cactus 020 Ltd.

 

[Stemar]

Although we are a small business, Cactus takes customer privacy and data security extremely seriously and can assure you we NEVER share customer information to outside parties, and DO NOT store customer’s financial data credit cards, bank details or PayPal information etc.

Given the much bigger, much more IT-savvy companies that get hacked, any "ordinary" company must expect its systems to be hacked. Not storing any financial information and warning people when it does happen seems to me to be as much as any normal company can be expected to do.

As discussed elsewhere, I've haven't had any spam for the last week or two. While I'm glad for those who might be conned, I kind of miss the entertainment value.

 

[prv]

The good thing about setting up individual addresses is that you can just disable them when you start receiving spam to them, as I will now disable my cactusnav.com@… address

You can still do this if you have a catch-all - just create the address later and then incoming mail for it won't end up in the catch-all. The new address could be given its own IMAP mailbox (my domain is based on my surname, and I have some family with their own addresses and mailboxes there), or in the case of company addresses that have become spammy, set to either bounce mail or accept and delete it. I have a few dozen of these cancelled addresses; the point is that I don't need to do anything special until it becomes a problem. I can just make up whatever I want at my domain on the spur of the moment while filling in a form.

Pete