Social Engineering - Follow Up
After a post earlier this week I sent a data destruct request along with a link to the blog post. Here's the response.
15 Jan 11:33
Thank you for the feedback. Our CTO has read your blog post and will take it under consideration. You can send him a more detailed report if you like at firstname.lastname@example.org as the screenshot you included was not clear enough to read.
I will also make sure to use a password generator in the future. Considering that there was no reset password link generated in the system up to the point when I used your email address to generate one from an incognito window on Chrome, it was only natural for me to assume something had to have gone wrong on your end. In any case, my intention was only to help you gain access to your account and I recommended you changed the password right away.
I am also very sorry you have received my emails. I can assure you you will not receive any of them in the future and that I have now deleted your account.
I wish you all the best in your future endeavours. Have a great week.
Although I'm not going to give any free lessons in terms of illicit data capture or actual social engineering prevention, it seems like Kristine perhaps misses the point about the password link but has taken heed of randomising passwords.
I did send a response back clarifying something about the screenshot but perhaps one question to ask is: how come I'd not seen any emails from the domain in years (perhaps ever), why did I start receiving them in the last four weeks?
Support is never an easy job and that was a lot less frosty than most of the responses I initially get from vulnerability reports or security incidents.
Speaking of which, time to finish a write-up for one of the jobs boards...