Customers' Email Addresses Stolen During Breach Of Several Companies
BOSTON (CBS) -- After millions of consumer email addresses were recently stolen, authorities are warning people to be on the look out for phony emails from scammers trying to steal your personal information.
The email addresses came from customers of major banks and retailers.
Consumer advocate Edgar Dworsky like many consumers started getting email notifications over the weekend, first from Best Buy, then Tivo, and then Brookstone. They all had the same message, "Sorry but your email address was stolen."
"It is really big because it may be tens of million or perhaps hundreds of millions of email addresses," said Dworsky.
WBZ-TV's Joe Shortsleeve reports.
It happened last Wednesday when a hacker broke in a computer system at Dallas-based email provider Epsilon.
At least a dozen companies lost email addresses including banks, credit card companies, well known retailers, Disney vacations, high end hotel chains and even the college boards.
Experts suggest whoever did this is now ready for the next step the creation of phony web sites. Scammers will try to convince consumers to go to these sites, and that is where they could have all their personal information stolen.
"So now everyone has my email address? Oh god," said one shopper at Best Buy.
"Yes they have my email address. They have to in order to get me my prescriptions. They have everything; credits cards too!" said a customer at Walgreen's.
Advocate Dworsky says, "If you stored your credit card information on one of these sites -- Best Buy or Walgreens -- and you fall for one of these phishing emails that are likely coming down the pike they can buy out the store and charge it to you."
Now experts say scammers will ask you to verify your personal information in an email. That is the red flag here. Don't do it. Don't click on the link.
The real companies already have you information, and they will not ask you to verify it in an email or at some bogus site.
According to state law this is not considered personal information so these companies are under no obligation to notify you of this breach. In order for it to be personal information it would have to include a full name and an account number. In this case it is just an email and a first name.