On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address.Link
I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for "ameritrade spam" (search without the quotes) are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. (I don't actually do that with most companies where I create accounts. But after hearing all the AmeriTrade stories, I created an account with them in April just for the purpose of entering a unique e-mail address and seeing if it would get leaked.)
What I think is odd is that despite all the blog posts about this issue, as far as I can see it's never been covered in the "mainstream" Internet press. You would think that an ongoing security breach -- not just a one-time breakin, but an ongoing problem where even recent signups have their e-mail addresses compromised just like people who signed up two years ago -- would be a big deal when it involves a company the size of AmeriTrade, especially when they also store people's bank account information, social security numbers, etc.
I wrote about my AmeriTrade experiment at Slashdot.
If you decide to try this experiment yourself, you'd need a domain where you can create your own arbitrarily long e-mail address, then create an AmeriTrade account and give that e-mail address to them and nobody else. Note that when I signed up for my own AmeriTrade account, I had to give them my real social security number and other personal information, since they gave me a big scary warning that "federal law" required me to give correct information "in order to fight terrorism and money laundering activities". If my e-mail address got stolen, who knows if my other personal information got stolen along with it. So there's a certain amount of risk here if you want to try it yourself. Of course you don't *have* to try it yourself if you're interested in investigating the issue; most of the bloggers who wrote about this issue, sounded plenty pissed off and would probably be happy to talk to the press.
AmeriTrade, for their part, has been responding to people who complain by sending them this message, which contains this curious piece of advice: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." Huh? What possible security-related reason could there be for that? It sounds suspiciously like saying, "Don't retain any independent evidence that we leaked your e-mail address."
A Boing Boing reader says:
I have had a similar experience after signing up for a newsletter from the Chicago Board of Trade. They have a daily newsletter that--like you--I signed up for with a brand new email address. Within a couple of weeks I was getting anywhere from 2 to 10 "trade suggestions" a day from various senders -- totally botted.
My suspicion is that the CBOT probably has no idea that they've allied themselves with spammers. What I mean is, they no doubt are aware of the relationship they have with whomever is doing the spamming, but just have no idea that they're doing the spamming.
I base this assumption in large part on the warehouse of circa 1981 tech sitting under the trade pit.
Anyway - thanks for the article. If you choose to post my comment, please leave it anonymous as I work in the industry for a CBOT member.