June 4, 2009 in Writing
Tagged: , ,


June 4, 2009 · Writing

How to harvest the Primus customer database in 3 easy steps

These economically challenging times — will this phrase ever get old? — call for desperate marketing efforts. Primus, a small Canadian telecom, emailed all its customers with a customized video that congratulates them for stimulating the economy by referring new customers.

Unfortunately, they couldn’t afford some basic security and the names and email addresses of perhaps all of their customers have been exposed.

The harvesting recipe

  1. Go to one of the landing pages. Here’s a random one: http://primusstimulus.ca/landing.aspx?xid=15459742
  2. Avert your eyes from the video and hit “Customize and Send to Your Friends.” Voila! Someone’s information.
  3. Repeat Step 1 but with a different xid number at the end of the URL. Any 5 digits after the “154” seem to work.

The kicker? The privacy policy at the bottom of the page says that this information won’t be “shared with any third parties.”

Credit goes to Stephen van Egmond for originally spotting this problem.

Jason Doucette (who reminded me about what I’d read in bed this morning) has a much more thorough analysis.

Update: RT says: “AFAICT, the lower bound on Primus’s site was 15373977, up to at least 15500000. So they potentially leaked 126,023+ emails/names.”

Update: Party over? The site is down.


This entry was written by Andrew Louis on June 4, 2009 and posted in Writing. It's tagged with , , .