Is mangadex sharing user data with 3rd parties?

[FredFriendly]

The reason I ask is that I just received an unsolicited email from a 3rd party addressed to the email address that I have registered with mangadex. The email address is a forwarding address only, meaning that it is not and cannot and has never been used to send emails. My profile page on mangadex is the only place that that email address appears and is the only place that the email address and my mangadex name (also in the email) could have come from.

 

[ixlone]

@FredFriendly

We don't share info with anyone.

You didn't try to log into one of the fake Mangadex sites and give them your email during our recent downtime, right?

https://haveibeenpwned.com/ comes back with your email as safe still, too.

 

[FredFriendly]

@ixlone

You didn't try to log into one of the fake Mangadex sites and give them your email during our recent downtime, right?

Since the one time I used that email address to register as a user on mangadex, I have never used it again, ever. I use my user id to log into mangadex, not that email address. And I'm not that stupid to log into a fake mangadex website.

We don't share info with anyone.

It sure would be nice to know how they got that email address and my username then. If you don't share info then the only other probabilities I can speculate is that they either hacked into your system or the info was stolen by someone who already has access.

https://haveibeenpwned.com/ comes back with your email as safe still, too.

That website neither guarantees that my email address is "safe" nor that it hasn't been stolen. If you did not authorize it's use by a 3rd party, and I certainly did not, then it was obviously stolen.

 

[ixlone]

Well like I said, we do not share any info with anyone and we've seen no signs of us being compromised, but it's not like any website can say it is 100% safe.

But it could be just as possible that the loss of data was on your end, right?

We'll be sure to keep an eye out in case anyone does post anything related to us in the mean time. But all I can say for sure is that we do NOT share ANY info with ANYONE.

@FredFriendly

Who was the email actually from?

 

[blackyawgdom]

Any email address can be sent spam....
And considering youre a member of multiple groups.... and all of them have contact details for you >.>

 

[BzzBzz]

I once created gmail account and never used it. Not even for single registration. 2-3 months later I found that every week there's 10+ spam mails from 8 different "companies". There can be only one conclusion - it's google (or other service provider) that sells your data.

 

[Kyokai]

I can confirm that using a gmail account allows google to share your info with 3rd party. unless you are using one of their paid services and specifically opt out of all 3rd party sharing.

I have a custom domain email using Gapps that I use exclusively for Mangadex and I have yet to receive any notion of spam nor any emails.

 

[FredFriendly]

@ixlone

But it could be just as possible that the loss of data was on your end, right?

I had considered, briefly, my email server being compromised but the inclusion of my mangadex name makes that impossible as my email server does not know that name.

Who was the email actually from?

Having the luxury of my own email system, I have separate forwarders for all of my various login accounts.

resources@progress.net

email:

Spoiler

Ipswitch-MOVEit

Hello Fred,

Ipswitch MOVEit has been named a leader in Info-Tech Research Group’s 2019 Managed File Transfer Category Report.

What makes this report so special is that it’s based on reviews from real end users, verified for veracity. That means you’re getting unbiased feedback from the people who matter most—the customers that use these solutions to solve real-world problems.

Ipswitch MOVEit was noted for its strengths in five key categories:

* Breadth of features
* Quality of features
* Vendor support
* Ease of integration
* Ease of administration

Please download the full report for a more in-depth look at how Ipswitch MOVEit stands in the broader MFT landscape.
Download Now »

Sincerely,
The Progress | Ipswitch Team


Copyright (c) 2020 Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.
15 Wayside Road, 4th Floor, Burlington, MA 01803
Call Us: 1-781-676-5700 | Privacy Center | www.ipswitch.com

Progress, Telerik, Ipswitch and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

@blackyawgdom

And considering youre a member of multiple groups.... and all of them have contact details for you >.>

Apparently you did not understand my previous messages, particularly this:

Since the one time I used that email address to register as a user on mangadex, I have never used it again, ever.

As I have my own email system, I use separate email forwarders for each of my various login accounts.

 

[FireFish5000]

@FredFriendly Your email server's certificate expired several years ago. I cannot be confident that emails are sent to your server encrypted using the expired cert, nor can I be confident that your email client is connecting to your server using the expired cert. If either fallback to plaintext, then any hop along the way can read the emails sent to you.

If your email client falls back to plaintext, then it would be perfectly possible that some rando sniffing the network you're on saw the emails, and possibly even your credentials to access it.

While I am not sure how big this data selling industry is, if it's as popular as people claim, I would highly recommend updating your server certificate to be safe. And if your email client has indeed been falling back to plaintext, I highly recommend changing all passwords you used for accounts on it.

 

[FredFriendly]

@FireFish5000 There have only been 2 emails sent to that address (and none sent from it), the first being the mangadex registration confirmation on January 18, 2018 and the second being the one quoted above so I seriously doubt that it has anything to do with "some rando sniffing the network" since I doubt any rando would wait 2 years to use a stolen email.

 

[FireFish5000]

@FredFriendly I will say that this seems like very unfortunate timing. There would be a lot more screaming going on if our db was compromised. However, this seems like an isolated issue so I am highly doubtful that that is the case. And seeing how long you have been with us, I also would find it odd if you were tricked. But all it takes is one google for mangadex and a click on some 'unblock' site for that to occur, so the possibility must be brought up.

I doubt any rando would wait 2 years to use a stolen email.

My point was that visits to a non encrypted site are in plaintext, and even a no brain rando at a coffee shop or hotel can view your emails/passwords as you access the webmail. I would be more worried about smarter (probably?) data selling companies collecting it at a higher hop.

I still think it would be worth looking into the possibility of your email server being compromised. And believe that being the case is much more likely seeing how data is likely not encrypted.
Think of it this way. Should you open your cPannel, they could potentially gain your admin password and take over your server entirely. I believe for someone worried about info security, this is..... a big gaping hole you really need to consider

 

[FredFriendly]

@FireFish5000

even a no brain rando at a coffee shop or hotel can view your emails/passwords as you access the webmail

That may be true if I were using webmail, but I don't. Also, as I said before, that email address is a forwarding email address only and is not used as a normal email address.

I've been using my email system for 22 years and it's never been hacked. I have gotten SPAM before due to other systems being hacked (ebay, yahoo, etc.) and it's pretty easy to see where the emails were hacked from. But the only place on the Internet that that email address should exist is on mangadex.

I still think it would be worth looking into the possibility of your email server being compromised.

That may be so, but not for this situation. Need I re-iterate the reasons why?

 

[FireFish5000]

@FredFriendly I mean, our emails to you could be compromised should the connection downgrade due to the cert, so hops to your server are still at risk even if the hops from your server do not matter. This is true for all the accounts on your domain sent from any server for any website. It won't always be the case since many email servers will choose to use the expired cert, but still. Even if your positive the issue is on our end.... please update your cert for your own safety. This can compromise a lot of the work you are putting into your email network.

And while you do not need to reiterate the reason why you don't believe its an issue on your end, I do not believe we need to reiterate why we do not believe it is on our end either. In the off chance that it is though, you would be the first reporter for an incoming storm

 

[fuzzyk]

Is your e-mail address a combination of words that could be guessed? That occurs elsewhere on the internet? Not necessarily as part of an e-mail address.

Spammers also send e-mails to random addresses. Having an address that never appears anywhere is not a protection in any way. It’s like having a private phone number but robocallers just dial every possible number there is. This is entirely unrelated to the mail/phone provider selling your data.

 

[crazybars]

@FredFriendly

Wait a minute, if you sent or received an email to a Mangadex email to make an account , that must mean your Email address was on an Email that was Sent or Received on the Mangadex Email Account. If a copy of that Email was saved at any point in time on the database of whatever mainstream email company Mangadex Email was using at the time, that email address is probably still known to that company because these companies hoard and analyze Email Addresses. Usually for Spam protection, but sometimes so they themselves can send spam to you or monitor contacts.

If someone gains access to that data and digs or the company itself uses a bot to crawl retrieve and sell these email addresses, wouldn't your email address get to spammers this way?

 

[FredFriendly]

@crazybars As I said before, until I received this new email, the only time an email was sent to the email account was when I registered on mangadex two years ago.

If someone gains access to that data and digs or the company itself uses a bot to crawl retrieve and sell these email addresses, wouldn't your email address get to spammers this way?

I agree with what you speculate, but it really does not seem as if this is what happened. Normally, when an email system of a company gets hacked (such as when ebay was hacked), I would get a flood of SPAM with over a hundred emails a day to start with. Also, spammers would normally have hidden list of recipients, but the email I received was to me only and specifically.

I'm still in a quandary as to how this happened.

 

[crazybars]

@FredFriendly

Man, you're right. It wouldn't make much sense to just send one Spam Email if they succeeded this way. I hope it doesn't bother you too much, I don't think we're gonna ever find out what happened.