A huge number of New York Times customers have received a scam e-mail purportedly from the paper, raising the possibility that its subscriber database has been hacked. Users on Twitter and Google+ — some print subscribers, some digital subscribers, and some who have only registered on the Times site with their e-mail address — received the following message:
Strangely enough for an Internet scam, the message doesn’t prompt the user to click on a link, which might then install malicious software. Instead it asked Times readers to call a phone number (1-877-698-0025), which is currently not accepting calls.
Times spokesman Bob Christie initially said the e-mail appears to be spam, and the company is investigating. The paper’s own Twitter feed warned customers: “If you received an email today about canceling your NYT subscription, ignore it. It’s not from us.”
Some Internet sleuths have traced the spam back to a huge e-mail service provider called Epsilon, which itself was hacked earlier this year. If this turns out to be a big deal, get used to hearing a lot more about “spear phishing” — it’s a scam tactic that uses fake, personalized e-mails to get users to disclose private information. That’s how Epsilon got hacked — a privacy group called it the “largest security breach ever” — and now Times subscribers may be in for the same.
Update: The Times now says the screwup was their own:
An email was sent earlier today from The New York Times in error. This email should have been sent to a very small number of subscribers, but instead was sent to a vast distribution list made up of people who had previously provided their email address to The New York Times. We regret the error.
Apparently the e-mail was supposed to go to about 300 people and instead went to more than 8 million. Whoops. But at least you now know what “spear phishing” is.