LogMeIn.com Security/Data breach affecting many users – LogMeIn largely quiet

Today I found that, like many other LogMeIn.com (NASDAQ: LOGM) Users (at least 6 pages worth on their support forums), I was the victim of a data breach. Somehow, the e-mail address I use to manage my LogMeIn.com account had been accessed by an unauthorized party, and used to send me spam e-mail.

Like many technology professionals, I use a variety of email technologies that allow me to create individualized e-mail addresses for specific services. Only the said service has knowledge of this email address. The address is not provided to any other service, or entered on any other website. Under most circumstances, I’m not even able to send email from these aliased addresses, so there is very, very few ways a spammer can get an address without a data breach.

Adding credibility to my concerns are the 6 pages of concerned tech-savvy individuals on LogMeIn.com’s support forums, making exactly the same claims. The real concern here, is what exactly was compromised? Was it just e-mail addresses? Was it an entire table with username/password data? Was my password properly hashed?

There are no responses from LogMeIn.com (other than an annoying “Don’t share your password with anyone and don’t click on any links!” response) on the forum, and only one other researcher has heard from LogMeIn. The response being that while an investigation is ongoing, there is no evidence a breach occurred.

I dispatched an e-mail to Marton Anka, CTO of LogMeIn.com, regarding this issue, but thus far, have not received any response. The forum is also filled with comments about how the issue remains unaddressed, and inquires continue to go unanswered. At the bottom of this post is a copy of the e-mail I dispatched to Mr. Anka.

Have you been affected by this issue? Leave a comment below.

Marton,

I’m writing to you today to let you know about a potential data breach with LogMeIn.

As a security process, I register different websites/services using different e-mail addresses on a variety of domains that I use. My primary domain, {redacted}, is a domain that I use for services that I consider to be important, containing personal information, or services that I use often. LogMeIn received an e-mail address on my domain.

Today, I received an e-mail, forged from adp.com, with a virus attached to it today. This e-mail was addressed to {redacted}, which is my logmein username.

This e-mail address exists nowhere else in the world. It has never been typed in or entered into another website, other than logmein.com, and has never been typed into a computer that I did not directly control and personally maintain. I do not use it for any correspondence. The address cannot send e-mail (It’s technically not possible at the moment, due to the fact that the address doesn’t actually exist, but is just aliased to my domain), so it’s not as though the e-mail was obtained via some FWD that I sent on to my grandma and list of 15 friends.

In my mind there are a few possibilities, in no particular order:
A. LogMeIn was compromised, either internally, or externally
B. LogMeIn sells personally identifiable information to 3rd party sources, which then resold my information to a spammer
C. My LogMeIn clients were compromised, and the LogMeIn software clients do not adequately protect the credentials they have
D. My personal client/browser was compromised, and observed me entering credentials into your website

I’m not sure which of these is the case. Perhaps there’s an element I haven’t yet considered. As for item D, I only use my corporate computer which has a strong domain policy, anti-virus, and the like. I work in a government regulated environment, lessening the likelihood I have some rogue, credential-capturing virus. As a computer security hobbyist, I certainly hope the fault does not lie with my machines. In remaining objective, I admit it remains a possibility.

I’m not sure how to proceed from here, but I consider the matter serious. I decided to address you directly, as I figured your support staff was unlikely to be educated on how to properly investigate and escalate this issue.

I have the e-mail in my inbox, but I did not forward to you as I didn’t want to risk your spam/virus filters intercepting the forward. I’m happy to make it and it’s headers available to you. I’m also happy to discuss the technical details of my email system, and domain configuration, as necessary, in order to validate my concerns.

If you’re not the right person to begin addressing this issue, please forward it to the right party for me. I appreciate your time.

With regards,

{redacted}