Customers of Russian security firm Kaspersky are understandably curious about an email they received yesterday, seemingly from the firm, calling them “dear and lovely”.
Multiple users have posted on Kaspersky’s support forum concerned that the email – which mentions their name and email address – suggests an unauthorised party has been able to compromise Kaspersky’s systems to send the email.
Some users have pointed out that the email was received at an email address that they had “only given to Kaspersky.”
Did Kaspersky really choose to send an email to its customers addressing them as “dear and lovely”? Had Kaspersky suffered a data breach? Had a hacker found a way to send messages to the security company’s customer base?
A Kaspersky employee has offered the following explanation:
Kaspersky is aware that some users of the company’s products may have recently received emails from the company’s email address with irrelevant content. This email was sent following a misconfiguration in the company’s internal IT environment. Kaspersky is reaching out to the company’s users to inform them of the issue and apologize for the inconvenience caused.
So, Kaspersky is saying a “misconfiguration” is to blame. They are not saying the emails were sent in error. They’re also not debunking the fear some users had that the emails were sent by an unauthorised party.
I mean, come on. A “misconfiguration” doesn’t cause an email to be sent like this. What would be more accurate would be to say that a goof has occurred – it may be that the email was sent in error by an employee, or that someone has *exploited* a security hole introduced through carelessness.
Whether Kaspersky customer details have fallen into the hands of hackers is too early to say based upon what the company has said. But the unauthorised email blastout certainly sounds like some type of security breach.
Let’s hope Kaspersky shares more information soon.
Hat-tip: @touseef__
Update:
Kaspersky has been in touch with the following statement:
The email was an error, not a data breach. An email used by the IT team for tests was sent from a staging environment to real users by mistake. Kaspersky is reaching out to the company’s users to inform them of the issue and apologise for the inconvenience caused.
Kaspersky is aware that some users of the company’s products may have recently received emails from the company’s email address with irrelevant content. This email was sent following a misconfiguration in the company’s internal IT environment.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.