Sparesbox Data Breach

Related Stores

Sparesbox

• 

  Nugs on 27/05/2021 - 18:11

  +2

  I also got an email from Mary today. I wondered what caused it
  .

  • 

    Yummy on 27/05/2021 - 19:59

    +2

    Something about Mary.

    • 

      SF3 on 27/05/2021 - 22:03

      A Bloody Mary?

      • 

        Yummy on 29/05/2021 - 04:49

        Hair gel.

  • 

    bdl on 27/05/2021 - 22:50

    Frank n beans

• 

  yippy on 27/05/2021 - 18:12

  +1

  I got one of those emails too but my first name was spelt wrong. I have bought from Sparesbox ebay a couple of times.

• 

  cimrak on 27/05/2021 - 18:14

  has it been announced as an actual data breach? Or did they just sell their contact list?

  • 

    stickyfingers on 27/05/2021 - 18:17

    +1

    Their privacy policy states they will not sell or provide your data to third parties.

• 

  PissLUR on 27/05/2021 - 18:19

  does this include from ebay purchases?

  • 

    yippy on 27/05/2021 - 18:22

    I've only bought from their eBay store and I received one of those emails.

• 

  brendanm on 27/05/2021 - 18:27

  be held accountable for breaches

  Would be great if they were, might make them take it a little more seriously.

• 

  pegaxs on 27/05/2021 - 18:36

  Well, I got a winky face from Mary. I think I’m in…

  • 

    DashCam AKA Rolts on 27/05/2021 - 19:01

    She might offer some great bitcoin deals, as well as notifying you that there is a package being held for you but you need to respond to an email first.

• 

  MS Paint on 27/05/2021 - 19:28

  Mary Mary you're on my mind

  • 

    SF3 on 27/05/2021 - 22:05

    Mary, Mary, quite contrary

  • 

    GoldenDragon888 on 28/05/2021 - 09:07

    Mary, Mary, where you goin' to?

    • 

      ModdySwag on 01/12/2021 - 19:15

      Mary Mary ..why you buggin ?

• 

  bongom on 27/05/2021 - 20:41

  I got 2 emails today from Mary with email body "Emmanuel, it is Mary.', however I have never purchased from Sparesbox directly, only via eBay.
  Only 1 of the email addresses that received Mary's email has been registered with eBay but both have been registered with catch.com.au.

• 

  lgacb08 on 27/05/2021 - 21:25

  +1

  got one too but it showed my email prefix from an email used in ebay account

  • 

    mapax on 28/05/2021 - 05:45

    Same. Mine was sent to an ebay associated address and not the address I use with the sparesbox website.

• 

  penguincat on 28/05/2021 - 16:24

  +1

  Yep got one today "Penguincat, my name is Mary." yet the email address was a tim of eynir lol

  I've never capitalised the p in penguincat seeing as it's a made up word. Had used that email address on sparesbox directly so they used my email prefix and not my registered name?
  Does sort of remind me of the Domino's 3rd party/breach thing that happened several years ago. https://whrl.pl/ReZ6kQ

• 

  EmployeeLukeSparesbox @ Sparesbox on 28/05/2021 - 17:25

  +8

  Hi everyone,

  My name is Luke, I'm the Head of Customer Experience at Sparesbox. We are committed to protecting your privacy, ensuring the security of your data and keeping your information safe. We have taken steps to ensure that your personal information that we hold is stored in a secure environment in which is encrypted and protected from misuse, interference, loss, and any unauthorised access, modification or disclosure.

  Our technical teams work hard to adhere to the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth) which set clear standards regarding the collection, use and disclosure of information.

  We thank you for raising this concern to us. We will now conduct internal discussions with relevant business units involved in the collection and use of your personal information and our Technical Teams will conduct a thorough investigation of our systems and the security measure in place. In the event that any such breach is identified, we will endeavour to reach out to customers to notify you of the results of our investigation.

  If you have further concerns or would like to know more, please reach out to me via email at [email protected].

  Luke Byrnes
  Head of Customer Expeirence
  Sparesbox

  • 

    Kranbone on 02/06/2021 - 12:02

    +1

    How did the data breach occur? Are you 100% absolutely certain they don't have my payment/card details (should I request a new card)? Is it possible the data they have can be decrypted?

    All I found was this post, no announcement on the page or email sent out. I wish you at least contacted me advising what happened.

  • 

    picklewizard on 20/06/2021 - 20:47

    +4

    Hi Luke,

    I reached out to you 8 days ago, I identified the breach in an identical manner to stickyfingers - I use "sparesbox@[mydomain.com]".

    Disappointingly, I have not received a response to my email. I've followed up again just now.

    This is deeply concerning as I have no knowledge of the extent of the breach, but it would not be unreasonable to assume that all data held by Sparesbox is now in the hands of an unauthorised party.

    Please respond urgently.

    For everyone else affected - after 30 days without a satisfactory response, you can make a privacy complaint: https://www.oaic.gov.au/privacy/privacy-complaints/before-yo…

    • 

      stickyfingers on 21/06/2021 - 12:15

      +1

      I assumed Sparesbox would have provided an update by now. I've received no updates either.

      Thanks for the link. I'll hang in a little longer before making a complaint. I suggest others do too.

    • 

      Kranbone on 21/06/2021 - 19:44

      I left a comment for the rep in the thread above but he's not responded either.

      I don't think they care.

      • 

        SummerZero on 21/06/2021 - 20:19

        +2

        They should care. Without customers they make no money.

        This is the kind of thing companies pull that results in gdpr-type legislation.

• 

  kerfuffle on 29/05/2021 - 08:44

  I also got one from Mary, but they seem to have gotten my first name wrong e.g. my name is Andrea*, but they addressed me as Andrew.

  *Not my real name

• 

  Keplaffintech on 29/05/2021 - 10:25

  +1

  I got this crap too. Thank you for exposing where the breach came from.

  I have a domain name where I have a catch-all address setup

  How do you do this?

  • 

    stickyfingers on 29/05/2021 - 11:36

    +5

    Register a domain name and setup a wildcard/catch all (*) email address to forward to your Gmail, etc.

    Google Domains makes this really easy with their “Email Forwarding” option which is free with a domain.

    Then [email protected] will forward to your email. So I could make an email address such as [email protected] and I would receive it to my Gmail but it would maintain the “To” email as the one it was sent to.

    This is good for two reasons; the first is that you can identify who sent you the spam, the second is that you can setup a rule in your email client to block all emails sent to that address and wipe it out.

    • 

      this is us on 10/08/2021 - 00:59

      +1

      This is one of the best ideas I've seen in recent weeks, maybe months…

• 

  stickyfingers on 29/05/2021 - 11:37

  +3

  I’ve made a few other purchases with Sparesbox under different emails and they all received more Mary spam today.

  • 

    Kranbone on 01/06/2021 - 15:38

    I've always had issues with the store over promising goods and under delivering. Sadly I used my personal email to make purchases but am genuinely worried. Would you advise I cancel my cards?

    Ironically I once met one of their employees at a track day, Jake (or James, tubby guy with glasses). I was with a group of friends and we all found him condescending and patronising. Cool car though.

    • 

      ATTS on 01/06/2021 - 15:48

      whats the downside of using personal email for purchase from sites?

      is it you just get spam on personal email when there is breach?

      and what happened with them promising and then undelivering goods?

      • 

        Kranbone on 01/06/2021 - 16:40

        whats the downside of using personal email for purchase from sites?

        A downside is potential spam for your personal inbox. I thought sparesbox was safe but this just proves otherwise.

        and what happened with them promising and then undelivering goods?

        they resell goods which they don't physically stock, ie, acting as a middle man. In the past I've bought a variety of items only to find certain items are out of stock with no further date. The other items kind of go together so it really inconvenienced me. Had I known not all the items were available, I wouldn't have purchased.

      • 

        stickyfingers on 02/06/2021 - 13:05

        +2

        Downside is that once you get spam you can’t stop it but also if you reuse passwords (we all do it) then they know what email address to login with and may also be able to reset your password by guessing your security questions.

        My partner had her information leaked recently due to a breach and despite her best efforts to change passwords she forgot about her PayPal… if she had used a different email for PayPal it would have been unlikely they would have known what email to login with and so it wouldn’t have mattered if they knew the password.

• 

  jackary on 30/05/2021 - 19:35

  Have also received 2 emails from Mary - 2 different accounts, both of which I’ve used with Sparesbox… I’m Jack but she called me Jacky :(

• 

  mrjeeves on 30/05/2021 - 21:49

  I got an email from “Mary” too, via an email forward I’ve used for a purchase with these guys. Good catch OP.

• 

  SummerZero on 30/05/2021 - 21:57

  I got it too :(

• 

  PhatChedda on 31/05/2021 - 07:15

  We did it bois

• 

  yippy on 01/06/2021 - 14:59

  Just got a different one today. Same spelling mistake on my first name but this time it's from Jess instead of Mary.

  • 

    ATTS on 01/06/2021 - 15:02

    do we change our passwords now?

    • 

      mrjeeves on 01/12/2021 - 19:06

      Definitely if your password is Jess or Mary.

  • 

    mini2 on 01/06/2021 - 15:02

    Yeah got the Jess one too.

• 

  kerfuffle on 02/06/2021 - 11:20

  +2

  Did you all get a Welcome to Sparesbox e-mail today? I just got one.

  • 

    Dumax on 02/06/2021 - 11:24

    +1

    Yup. Pretty much a confirmation of the breach.

  • 

    AnDyStYLe on 02/06/2021 - 11:58

    Yes, lucky it's not showing up in https://haveibeenpwned.com/, but maybe it's too early to tell… Not happy!

    • 

      yippy on 02/06/2021 - 12:06

      Mine has shown up as having 1 breach. I use 2fa on important stuff and different passwords so not too worried. Haven't checked lately so not sure if it's related to Sparesbox.though.

  • 

    yippy on 02/06/2021 - 12:02

    So what did it say? I've only purchased from their eBay store and not from their webstore so didn't get one. Shouldn't they be sending it to all their customers seeing as their eBay customers had their details breached too.

    • 

      kerfuffle on 02/06/2021 - 12:03

      Welcome to Sparesbox. Please click the link below to create a password and sign-in.

      With a Zendesk link

      • 

        yippy on 02/06/2021 - 12:04

        Cool, thanks.

  • 

    stickyfingers on 02/06/2021 - 13:01

    Nope, none here.

• 

  EmployeeLukeSparesbox @ Sparesbox on 02/06/2021 - 15:06

  -1

  Hi everyone,

  I apologise for the confusion. This is actually a completely separate issue that I'm happy to explain.

  Recently, we updated our Customer Relationship Management System (CRM) with a new one called Zendesk. For those that don't know, a CRM is a system that allows us to support our customers via email, live chat, phone and even Facebook in one place. It's very handy in that we can see all your contact with us and don't need to explain what you need multiple times when speaking to our staff.

  There is a function in the new system that allows customers to sign up for support. It's designed for businesses that use it for client management rather than what we do. It was switched off and should not have sent an email through but we've identified a bug that allowed it to be sent regardless. It's why the email is so badly formatted; it was never meant to be sent.
   
  This isn't something to worry about and you can simply delete or discard the sign up email you have received. 

  If you have any further questions or concerns, please reach out to me via email at [email protected]

  Luke
  Head of Customer Experience
  Sparesbox

  Kind regards, 

  Customer Experience Team
  Sparesbox

  • 

    Kranbone on 02/06/2021 - 20:12

    +1

    What an odd bug.

    Wouldn't this mean that other companies who use this Zendesk software would also be effected by the bug?

    …so just to confirm, on data breach?

    • 

      9839002 on 13/07/2021 - 15:14

      +2

      We use Zendesk. This sounds dodgy as (profanity)

• 

  mapax on 08/06/2021 - 07:33

  +2

  Got another one this morning, this time it’s from Jess.

  • 

    penguincat on 09/06/2021 - 23:52

    I just got one from Jess from a yahoo email address about an hour ago. "Hello Penguincat, how are you?" Must have been a long day.

    • 

      mapax on 10/06/2021 - 07:05

      +1

      The one I got was “Hi mapax, how do you do?”

  • 

    stickyfingers on 12/06/2021 - 01:12

    Yep I'm getting bombarded with Jess ones now.

• 

  SummerZero on 08/06/2021 - 11:35

  +1

  Anyone get sms spam today?
  I haven't had any in a very long time.

  Today I got this:
   Hello - Your item is being held at our intl forwarding centre. Please follow instructions: {spam url}

  • 

    Kranbone on 11/06/2021 - 22:12

    I've also received spam but am unsure if this one is sparesbox related. I hope they can fix things soon.

    • 

      SummerZero on 13/06/2021 - 14:41

      +2

      Yeah, they really should own up to it if it has indeed happened.

      Stating silent doesn't do much for retaining the customers trust.

      Prices are great, the Web interface is good, but shipping times are some of the worst I've experienced from an online store.

      I can't see myself dealing with them again.

• 

  kerfuffle on 13/06/2021 - 09:46

  Also got one from Jess, with incorrect name e.g. Andrew instead of Andrea

  • 

    Kranbone on 13/06/2021 - 10:24

    Yeah, mine had a spelling mistake too.

• 

  AndyC1 on 20/06/2021 - 23:31

  Sounds like Luke has no idea about the data breach and does not know what went wrong as normally a CRM does not allow customers to sign up for "remote" support access to send out emails to people registered in the CRM, unless someone has granted them access or the system was left wide open.

  If they did leave it wide open then the access would have allowed them to grab the details and therefore it was a breach. If someone granted them access then even worse as it shows the staff are incompetent.

  • 

    SummerZero on 23/06/2021 - 01:33

    +1

    Are mods aware of this?
    Not sure what the rules are and whether sparesbox deals would be allowed here while it's up in the air

• 

  akyeeeahdude on 26/07/2021 - 21:32

  Did anyone take this to the OAIC? It's pretty significant.

  I used to get a similar thing after ordering Dominos.

  • 

    stickyfingers on 26/07/2021 - 23:59

    +2

    I've been meaning to follow up on this as it seems like Sparesbox are just hoping we'll forget…

    I'd suggest those who received any emails from this to contact [email protected] and ask for an update.

    Luke Byrnes, Head of Customer Experience is the one who has been commenting on the thread and who I first informed.

    They need to be investigating this and notifying customers. I won't be ordering from them again after their poor handling of this.

    • 

      Kranbone on 05/09/2021 - 12:19

      Did you ever receive any update? It's disappointing but it seems as if they don't care.

      I wonder if the vendor should be prevented from posting further deals until things improve.

      • 

        stickyfingers on 06/09/2021 - 17:37

        +1

        No they don’t care. I’m yet to file a report but I will be now. I’ve given them plenty of chance to reply but they flat out ignore me. Sounds like they do to others too.

        • 

          SummerZero on 06/09/2021 - 17:39

          +2

          @stickyfingers: IMO any store that has had a data breach should have something automatically noted on posts so that users are aware before they click through.

    • 

      USER DC on 12/09/2021 - 00:22

      +1

      I wish i saw this thread before, Just after receiving those emails had my PayPal account hacked. (LOST LIKE ~$79 AUD, someone had bought KINGUIN Digital Gift card in USD) Didn't knew about this issue at all, I wish i didnt reply to that Mary emails, I knew it was a fake email, so i pretended to continue on her silly boyfriend talk, (like yeah i was with her GF mary and mum etc) Because i was wanting to have fun emailing these scammers.
      But yeah never will i ever be replying to those emails again, AND NO, NEVER USING SPARESBOX again.

      Mary's email was [email protected]

  • 

    stickyfingers on 10/08/2021 - 00:37

    +1

    So far I've been giving Sparesbox a chance to investigate. However, my requests for an update have been ignored.

    I'll look into filing a report. I'd appreciate others doing the same.

• 

  stickyfingers on 02/09/2021 - 03:32

  +1

  Just confirming here that my requests for an update to Sparesbox support have been ignored. Has anybody else heard any updates?

  • 

    picklewizard on 07/09/2021 - 13:44

    +2

    Nope, despite Luke's assurances that "silence doesn't mean they're ignoring me" these guys are clearly all talk.

    Time for an official complaint I guess?

    • 

      stickyfingers on 08/09/2021 - 02:27

      +2

      Yep agreed. Really a big let down from these guys.

• 

  BraggingRights on 12/09/2021 - 12:03

  +2

  This is why I don't use just any "online only" store that comes along, most of them have fantastic front page sex appeal, than the backend is terrible, security is weak, disgusting service.

  No thanks.