Have 10 million Trapster users been exposed to spammers?Written by John P Mello Jr on January 27, 2011
Subscribers to the Trapster service may be able to avoid speed traps while driving their cars but they may not be able to avoid spammers when operating their computers. That’s because some 10 million users of the service may have had their email addresses compromised.
In a letter sent to its users last Thursday, the service wrote,
“The Trapster team has recently learned that our website has been the target of a hacking attempt, and it is possible that your email address and password were compromised.”
“We have taken, and continue to take, preventive measures to avoid future incidents but we are recommending that you change your Trapster password,” the missive continued. “As always, Trapster recommends that you use distinctive passwords for each site you visit, but if you use the same password on Trapster that you use on other services, we recommend that you change your password on those services as well.”
Within 24 hours of the caution letter being sent to subscribers, Trapster said it had rewritten the vulnerable code to prevent a recurrence of the incident in the future. It’s also working on additional security measures to better protect its customers’ data in the future, it added.
What may be preventing the breach from becoming one of the largest in Internet history is the fact that the service doesn’t require its users to register with it.
“[A] majority of our users who download the app do not register which means they did not provide an email address (as it is not a requirement),” Trapster noted in an FAQ on the incident. “So the figure is well below the 10 million users which has been reported.”
The company, which makes an app for smartphones, emphasized that its advice about changing passwords was a “better safe than sorry” measure.
“While we know that we experienced a security incident, it is not clear that the hackers successfully captured any email addresses or passwords, and we have nothing to suggest that this information has been used,” it said.
A big concern in a security breach like this is that stolen email addresses and passwords can have a multiplier effect. That’s because users–myself included–tend to be lazy and use the same password for multiple sites.
“[Y]ou may not care very much if your credentials on Trapster have been compromised and may think that not too much harm can come from that,” Graham Cluley noted at the Naked Security blog. “But what if you use the same email address/password combination on other websites such as your Twitter account, or web email address?”
That prospect wasn’t lost on Twitter’s security maven Del Harvey, who chirped this tweet to the service’s minions: “Sign up for Trapster? You need to change your password there. Don’t use the same password on multiple sites!” No doubt prominent in Harvey’s mind were reports that usernames and passwords purloined from Gawker accounts in December were used to compromise Twitter accounts and then use those accounts to flood the microblogging service with spam.
The Trapster breach occurred a little over a month after hackers went on a break-in spree at Gawker, McDonalds and Walgreen. During the Gawker attack mounted by a group called Gnosis some 400,000 accounts were compromised. McDonalds and Walgreens didn’t release specific numbers for their breaches, which are thought to be linked to a spear-phishing campaign against email service providers that’s been going on for months.
If all 10 million user accounts had been compromised at Trapster, the break-in would be 25 times larger than the Gawker breach. Still, as Gregg Keizer points out in Computerworld, if only one in 10 accounts were compromised, the raid would be 2.5 times the size of the Gawker fiasco.
Trapster was picked by Wired magazine in 2009 as one of the best location-aware apps.
“[E]veryone can benefit from Trapster, a program that pulls together crowdsourced info about the location of police traps,” Wired noted. “Drivers report red-light cameras, speed cameras, or cops hiding in wait, which all get added to a map of law enforcement hot spots for the next lead-foot coming down the highway. You can even set your phone to warn you audibly when approaching the fuzz. Coast clear? Floor it.”
Depending on the severity of last week’s break-in, Trapster may be eligible for another “best” kudo–best spam platform.