I received the email this morning. I am not feeling that comfortable with this answer from Mercury. I am going to follow up

MikeB4:

 

I received the email this morning. I am not feeling that comfortable with this answer from Mercury. I am going to follow up

 

You are right to feel so. 

Obviously some data were downloaded by scammers - from reddit: 

So I work in security among other areas and started getting weird scam calls about my Mercury account recently. Got suspicious and decided to poke around their API to see what was going on.

We believe it’s unlikely your rewards profile has been accessed, and we continue to strengthen our rewards security.

if I got this message I’d assume “unlikely” means they have no definitive proof either way. Likely that means the API has inadequate logging and they’ve made some assumptions.

What other information was available through the API? Could anyone enumerate users and emails? That alone would be a big deal.

Try interacting with AI and ask it to use python to do something with a documented API for website that you use.  It doesn't take much to have it lead you down the path of pressing f12 and looking through the data source to find an ID number or other useful goodies.

Any normal person would then wonder what happens if they change that number.  It's literally child's play, even more so now with AI helping anyone to make simple queries.

So, should all Mercury clients change their passwords?

@MadEngineer:

 

Try interacting with AI and ask it to use python to do something with a documented API for website that you use.  It doesn't take much to have it lead you down the path of pressing f12 and looking through the data source to find an ID number or other useful goodies.

 

Any normal person would then wonder what happens if they change that number.  It's literally child's play, even more so now with AI helping anyone to make simple queries.

 

I know how to do it. I asked in the event someone have already done and it was known or part of a post-mortem by now.

k1w1k1d:

 

So, should all Mercury clients change their passwords?

 

 

 

No, the only (supposedly) exposed data fields are name, address and rewards. 

As far as I know (likely hashed) passwords and emails are not leaked (according to their disclosure). 

turtleattacks:

 

k1w1k1d:

 

So, should all Mercury clients change their passwords?

 

 

No, the only (supposedly) exposed data fields are name, address and rewards. 

As far as I know (likely hashed) passwords and emails are not leaked (according to their disclosure). 

 

Still a big deal. If people have email addresses and a list of leaked passwords from somewhere else, they don't have to do a password spray and spend days trying to login, they can just try the leaked password for each email address once, making the whole process a lot faster.

This could validate email/password is being reused and try that combination again in higher value targets, for example banks.

This is good for them because banks are usually resistant to password sprays thanks to throtthling, but single attempts with correct username/email and password would not trigger some rules.

freitasm:

 

@MadEngineer:

 

Try interacting with AI and ask it to use python to do something with a documented API for website that you use.  It doesn't take much to have it lead you down the path of pressing f12 and looking through the data source to find an ID number or other useful goodies.

 

Any normal person would then wonder what happens if they change that number.  It's literally child's play, even more so now with AI helping anyone to make simple queries.

 

 

I know how to do it. I asked in the event someone have already done and it was known or part of a post-mortem by now.

 

Yesterday I got a phishing email that was pretending to be Mercury.  The link to click on was not Mercury, but they did pretty well in simulating a Mercury email.  So I am suspecting that someone is using the data leaked from the bad API to target Mercury customers like me.

fe31nz:

 

Yesterday I got a phishing email that was pretending to be Mercury.  The link to click on was not Mercury, but they did pretty well in simulating a Mercury email.  So I am suspecting that someone is using the data leaked from the bad API to target Mercury customers like me.

 

I got one too, but don't think it was directly related as it went to an account I don't use for anything except gaming. And I don't use Mercury. So more coincidence or someone just trying to "cash" in on the news. 

Feel left out. No spam at all about it.

MadEngineer:

 

Anyone with Mercury able to request access logs to their account?  That will answer two questions - the obvious but also if they’re even logging API access at all.

 

I made a request based upon the Privacy Act for logs, and they have not provided that, yet, so I have asked again.

They have however replied with this:

@MadEngineer:

 

Anyone with Mercury able to request access logs to their account?  That will answer two questions - the obvious but also if they’re even logging API access at all.

 

They tell me this:

Not much use if we find out there was a problem prior to that, as they would be unable to confirm any activity on any accounts.