nuxx.net
Making, baking, and (un-)breaking things in Southeast Michigan.

Spark Fun Electronics Hacked?

Hmm, I received this from what appears to actually be Spark Fun Electronics (sent from one of the servers physically near them), and the site itself is still offline:

Hello,

On February 8th, 2007 it came to our attention that someone or something gained unauthorized access to the Spark Fun Electronics server. It is highly unlikely that this person gained full access to our server data. But because there is no way for us to confirm the depth of the access, we felt it in the best interest to warn our (wonderful, wonderful) customers the server contained sensitive customer information including some credit card data. All numbers have since been removed and we are putting systems in place to better protect sensitive user information in the future.

Please check your credit card statement for any unauthorized activity. We will do everything in our power to work with you and your credit card company to investigate any discrepancies.

We truly appreciate your business and are very sorry to cause a scare. Please contact us (you can reply to this message) if you have any questions or concerns and we will address them as quickly as possible.

Best regards,
Spark Fun Electronics


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

UPDATE: Here’s some more info about the message… it appears to be legit:

c0nsumer@rowla:/var/log> grep "server89" maillog
Feb 12 13:36:26 rowla postfix/smtpd[50546]: connect from server89.sparkfun.com[65.58.240.213]
Feb 12 13:36:26 rowla postfix/smtpd[50546]: setting up TLS connection from server89.sparkfun.com[65.58.240.213]
Feb 12 13:36:26 rowla postfix/smtpd[50546]: TLS connection established from server89.sparkfun.com[65.58.240.213]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 12 13:36:27 rowla postfix/smtpd[50546]: 180394AC23: client=server89.sparkfun.com[65.58.240.213]
Feb 12 13:36:27 rowla postfix/smtpd[50546]: disconnect from server89.sparkfun.com[65.58.240.213]
c0nsumer@rowla:/var/log>

server89.sparkfun.com is now down, and Spark Fun doesn’t publish SPF records. However, sparkfun.com is 65.58.240.188, so with a whole /25 (or less, maybe a standard /24?) they could be in the same subnet. It all appears to be in a block of colocated stuffs owned by dnssys.com who doesn’t have much of a site. Still, the email message appears to be legit…

At least there are no strange charges on the card I used there. Yet. :(

Leave a reply