Sparesbox Data Breach

A heads up to anybody who has shopped at Sparesbox in the past.

Today I have received at two email addresses used only to shop at Sparesbox emails from "Mary" stating "%%EmailAddress%%, it is Mary!" and "%%FirstName%%, I am Mary."

I have a domain name where I have a catch-all address setup so I commonly use an email address for each account on each website. The email addresses exposed were only used on Sparesbox, ever.

I am not sure what other information has been exposed but so far I can tell that first names and email addresses have.

Websites need to hold their customers' data more securely and be held accountable for breaches like this.

Related Stores

Sparesbox
Sparesbox

Comments

  • +2 votes

    I also got an email from Mary today. I wondered what caused it
    .

    • +2 votes

      Something about Mary.

      •  

        A Bloody Mary?

        •  

          Hair gel.

    •  

      Frank n beans

  • +1 vote

    I got one of those emails too but my first name was spelt wrong. I have bought from Sparesbox ebay a couple of times.

  •  

    has it been announced as an actual data breach? Or did they just sell their contact list?

    • +1 vote

      Their privacy policy states they will not sell or provide your data to third parties.

  •  

    does this include from ebay purchases?

    •  

      I've only bought from their eBay store and I received one of those emails.

  •  

    be held accountable for breaches

    Would be great if they were, might make them take it a little more seriously.

  •  

    Well, I got a winky face from Mary. I think I’m in…

    •  

      She might offer some great bitcoin deals, as well as notifying you that there is a package being held for you but you need to respond to an email first.

  •  

    Mary Mary you're on my mind

    •  

      Mary, Mary, quite contrary

    •  

      Mary, Mary, where you goin' to?

  •  

    I got 2 emails today from Mary with email body "Emmanuel, it is Mary.', however I have never purchased from Sparesbox directly, only via eBay.
    Only 1 of the email addresses that received Mary's email has been registered with eBay but both have been registered with catch.com.au.

  • +1 vote

    got one too but it showed my email prefix from an email used in ebay account

    •  

      Same. Mine was sent to an ebay associated address and not the address I use with the sparesbox website.

  • +1 vote

    Yep got one today "Penguincat, my name is Mary." yet the email address was a tim of eynir lol

    I've never capitalised the p in penguincat seeing as it's a made up word. Had used that email address on sparesbox directly so they used my email prefix and not my registered name?
    Does sort of remind me of the Domino's 3rd party/breach thing that happened several years ago. https://whrl.pl/ReZ6kQ

  • +8 votes

    Hi everyone,

    My name is Luke, I'm the Head of Customer Experience at Sparesbox. We are committed to protecting your privacy, ensuring the security of your data and keeping your information safe. We have taken steps to ensure that your personal information that we hold is stored in a secure environment in which is encrypted and protected from misuse, interference, loss, and any unauthorised access, modification or disclosure.

    Our technical teams work hard to adhere to the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth) which set clear standards regarding the collection, use and disclosure of information.

    We thank you for raising this concern to us. We will now conduct internal discussions with relevant business units involved in the collection and use of your personal information and our Technical Teams will conduct a thorough investigation of our systems and the security measure in place. In the event that any such breach is identified, we will endeavour to reach out to customers to notify you of the results of our investigation.

    If you have further concerns or would like to know more, please reach out to me via email at [email protected].

    Luke Byrnes
    Head of Customer Expeirence
    Sparesbox

    • +1 vote

      How did the data breach occur? Are you 100% absolutely certain they don't have my payment/card details (should I request a new card)? Is it possible the data they have can be decrypted?

      All I found was this post, no announcement on the page or email sent out. I wish you at least contacted me advising what happened.

    • +4 votes

      Hi Luke,

      I reached out to you 8 days ago, I identified the breach in an identical manner to stickyfingers - I use "[email protected][mydomain.com]".

      Disappointingly, I have not received a response to my email. I've followed up again just now.

      This is deeply concerning as I have no knowledge of the extent of the breach, but it would not be unreasonable to assume that all data held by Sparesbox is now in the hands of an unauthorised party.

      Please respond urgently.

      For everyone else affected - after 30 days without a satisfactory response, you can make a privacy complaint: https://www.oaic.gov.au/privacy/privacy-complaints/before-yo...

      • +1 vote

        I assumed Sparesbox would have provided an update by now. I've received no updates either.

        Thanks for the link. I'll hang in a little longer before making a complaint. I suggest others do too.

      •  

        I left a comment for the rep in the thread above but he's not responded either.

        I don't think they care.

        • +2 votes

          They should care. Without customers they make no money.

          This is the kind of thing companies pull that results in gdpr-type legislation.

  •  

    I also got one from Mary, but they seem to have gotten my first name wrong e.g. my name is Andrea*, but they addressed me as Andrew.

    *Not my real name

  • +1 vote

    I got this crap too. Thank you for exposing where the breach came from.

    I have a domain name where I have a catch-all address setup

    How do you do this?

    • +5 votes

      Register a domain name and setup a wildcard/catch all (*) email address to forward to your Gmail, etc.

      Google Domains makes this really easy with their “Email Forwarding” option which is free with a domain.

      Then [email protected] will forward to your email. So I could make an email address such as [email protected] and I would receive it to my Gmail but it would maintain the “To” email as the one it was sent to.

      This is good for two reasons; the first is that you can identify who sent you the spam, the second is that you can setup a rule in your email client to block all emails sent to that address and wipe it out.

  • +3 votes

    I’ve made a few other purchases with Sparesbox under different emails and they all received more Mary spam today.

    •  

      I've always had issues with the store over promising goods and under delivering. Sadly I used my personal email to make purchases but am genuinely worried. Would you advise I cancel my cards?

      Ironically I once met one of their employees at a track day, Jake (or James, tubby guy with glasses). I was with a group of friends and we all found him condescending and patronising. Cool car though.

      •  

        whats the downside of using personal email for purchase from sites?

        is it you just get spam on personal email when there is breach?

        and what happened with them promising and then undelivering goods?

        •  

          whats the downside of using personal email for purchase from sites?

          A downside is potential spam for your personal inbox. I thought sparesbox was safe but this just proves otherwise.

          and what happened with them promising and then undelivering goods?

          they resell goods which they don't physically stock, ie, acting as a middle man. In the past I've bought a variety of items only to find certain items are out of stock with no further date. The other items kind of go together so it really inconvenienced me. Had I known not all the items were available, I wouldn't have purchased.

        • +2 votes

          Downside is that once you get spam you can’t stop it but also if you reuse passwords (we all do it) then they know what email address to login with and may also be able to reset your password by guessing your security questions.

          My partner had her information leaked recently due to a breach and despite her best efforts to change passwords she forgot about her PayPal… if she had used a different email for PayPal it would have been unlikely they would have known what email to login with and so it wouldn’t have mattered if they knew the password.

  •  

    Have also received 2 emails from Mary - 2 different accounts, both of which I’ve used with Sparesbox… I’m Jack but she called me Jacky :(

  •  

    I got an email from “Mary” too, via an email forward I’ve used for a purchase with these guys. Good catch OP.

  •  

    I got it too :(

  •  

    We did it bois

  •  

    Just got a different one today. Same spelling mistake on my first name but this time it's from Jess instead of Mary.

    •  

      do we change our passwords now?

    •  

      Yeah got the Jess one too.

  • +2 votes

    Did you all get a Welcome to Sparesbox e-mail today? I just got one.

    • +1 vote

      Yup. Pretty much a confirmation of the breach.

    •  

      Yes, lucky it's not showing up in https://haveibeenpwned.com/, but maybe it's too early to tell… Not happy!

      •  

        Mine has shown up as having 1 breach. I use 2fa on important stuff and different passwords so not too worried. Haven't checked lately so not sure if it's related to Sparesbox.though.

    •  

      So what did it say? I've only purchased from their eBay store and not from their webstore so didn't get one. Shouldn't they be sending it to all their customers seeing as their eBay customers had their details breached too.

      •  

        Welcome to Sparesbox. Please click the link below to create a password and sign-in.

        With a Zendesk link

        •  

          Cool, thanks.

    •  

      Nope, none here.

  • -1 vote

    Hi everyone,

    I apologise for the confusion. This is actually a completely separate issue that I'm happy to explain.

    Recently, we updated our Customer Relationship Management System (CRM) with a new one called Zendesk. For those that don't know, a CRM is a system that allows us to support our customers via email, live chat, phone and even Facebook in one place. It's very handy in that we can see all your contact with us and don't need to explain what you need multiple times when speaking to our staff.

    There is a function in the new system that allows customers to sign up for support. It's designed for businesses that use it for client management rather than what we do. It was switched off and should not have sent an email through but we've identified a bug that allowed it to be sent regardless. It's why the email is so badly formatted; it was never meant to be sent.
     
    This isn't something to worry about and you can simply delete or discard the sign up email you have received. 

    If you have any further questions or concerns, please reach out to me via email at [email protected]sparesbox.com.au

    Luke
    Head of Customer Experience
    Sparesbox

    Kind regards, 

    Customer Experience Team
    Sparesbox

    • +1 vote

      What an odd bug.

      Wouldn't this mean that other companies who use this Zendesk software would also be effected by the bug?

      …so just to confirm, on data breach?

      • +2 votes

        We use Zendesk. This sounds dodgy as (profanity)

  • +2 votes

    Got another one this morning, this time it’s from Jess.

    •  

      I just got one from Jess from a yahoo email address about an hour ago. "Hello Penguincat, how are you?" Must have been a long day.

      • +1 vote

        The one I got was “Hi mapax, how do you do?”

    •  

      Yep I'm getting bombarded with Jess ones now.

  • +1 vote

    Anyone get sms spam today?
    I haven't had any in a very long time.

    Today I got this:
     Hello - Your item is being held at our intl forwarding centre. Please follow instructions: {spam url}

    •  

      I've also received spam but am unsure if this one is sparesbox related. I hope they can fix things soon.

      • +2 votes

        Yeah, they really should own up to it if it has indeed happened.

        Stating silent doesn't do much for retaining the customers trust.

        Prices are great, the Web interface is good, but shipping times are some of the worst I've experienced from an online store.

        I can't see myself dealing with them again.

  •  

    Also got one from Jess, with incorrect name e.g. Andrew instead of Andrea

    •  

      Yeah, mine had a spelling mistake too.

  •  

    Sounds like Luke has no idea about the data breach and does not know what went wrong as normally a CRM does not allow customers to sign up for "remote" support access to send out emails to people registered in the CRM, unless someone has granted them access or the system was left wide open.

    If they did leave it wide open then the access would have allowed them to grab the details and therefore it was a breach. If someone granted them access then even worse as it shows the staff are incompetent.

    • +1 vote

      Are mods aware of this?
      Not sure what the rules are and whether sparesbox deals would be allowed here while it's up in the air

  •  

    Did anyone take this to the OAIC? It's pretty significant.

    I used to get a similar thing after ordering Dominos.

    • +2 votes

      I've been meaning to follow up on this as it seems like Sparesbox are just hoping we'll forget…

      I'd suggest those who received any emails from this to contact [email protected] and ask for an update.

      Luke Byrnes, Head of Customer Experience is the one who has been commenting on the thread and who I first informed.

      They need to be investigating this and notifying customers. I won't be ordering from them again after their poor handling of this.

  • +1 vote

    Has this been reported to the authorities or are we relying on sparesbox technician to investigate (who is probably the owners cousins dogs baby sitter).

    See privacy complaint section: https://www.oaic.gov.au/privacy/notifiable-data-breaches/rep...