How I discovered Instructables' email database had been stolen

Also, how you can track who let spammers get your address!

I have my own domain which I use for signing up to various websites. My registrar [and many others] allow me to have a "catch-all" so any mail sent to my domain is forwarded to my regular address. When I join a website, I use the name of the site in the address like this example:

So, if I get mail to that address, I can easily filter it into my 'Instructables' folder, and also see if spammers have gotten it. I never use it anywhere else, and I can't even send mail from it, so only one website even knows the address.

Yesterday, the spam [Re4plica Wat4ches Nice Gift] started to my unique instructables address.

This has happened with other websites [, for instance], and I have informed them, usually to a mute silence. Sometimes, they claim it was a dictionary attack and that spammers are just jamming random words and phrases onto domains and sending those.

Maybe, sometimes, they are right. Maybe some spammer has "instructables" in his dictionary and just tried it out on my personal domain.  Maybe not!

I also got spam from 3 forged addresses [so far]:


I went to the "forgot my info" page, and entered those addresses. All are valid here. I tried a randomly typed address, and was informed it was invalid.

This is a security design mistake, it should silently fail instead.

Now, if this had been a dictionary attack, I can certainly imagine the evil, but not stupid, spammers already know my technique, and might try '' or '" but the chances of guessing "instructables.kz8" and have it just happen to be a valid Instructables community member are practically nonexistent.

So, there's the evidence, and hopefully this gets addressed. I do not know if any other personal info has been stolen, and will not speculate.

Well, just a little. A new Adobe PDF exploit was released into the wild yesterday. I bet the machine that contains the email addresses is sitting on a user's desk [bad idea] and has Adobe Reader installed [bad idea] and is used to read email [really bad idea].
Remove these adsRemove these ads by Signing Up
lulz4you2 years ago
This is no database breach...this looks like the instructables admin, siteowner, whatever is selling our emails to mass spammers for a quick buck.
1tri2god2 years ago
Thank you BobCat for writing this, it is indeed informative...not just that this is a useful way to track down such grievances (will be getting my own domain soon...just so smart that you thought this up) but also because Eric and Rachel are courteous to publicly address this. I'm just a neutral 3rd party who don't know any of you. But there are definitely less responsive webmeisters out there!
kick in the teeth!
ewilhelm3 years ago

Thanks for bringing this to our attention.

The most likely way your unique, Instructables-only email was compromised is through our previous newsletter provider iContact. A few years ago, we transitioned our email newsletter from iContact to Streamsend (you can verify this by looking at the unsubscribe information in past newsletters), and more recently iContact had a security breach. Unfortunately, iContact had not purged the email addresses that were in our inactive account. Since we no longer had a relationship with them, iContact did not inform us about the breach, nor give us any information concerning how many Instructables email addresses were compromised. I have since insisted that they purge all of our emails addresses, and I apologize that this did not happen when we originally changed newsletter providers.

While I believe the breach in security to be out of our direct control, it is my responsibility to hold our vendors to a high level, and I failed in this regard. We now have a written policy about purging user data from third-parties when we end relationships with them, but a policy after the fact doesn't help you, and again I apologize that we screwed up.

We take security seriously, and yours is among a single-digit number of reports detailed enough for us to track it down to iContact. Since we never got a proper report from iContact and were not able to identify users whose email addresses might have been compromised, I opted not to reach out to everyone on our newsletter mailing list to let them know a security breach might have happened -- I find broad-based security announcements about the potential compromise of nothing more personally identifying than email addresses to be in-actionable.  However, the security breach was publicly blogged in February 2010 by the first person to report it to us; you can read their report here: update on possible user database breach at instructables.

To your concern about the forgot password system: We monitor the frequency of forgot password requests, and have internal systems and unique emails specifically to watch if spammers are using this or other tools on Instructables to get your information. At this time, we don't believe there to be a security breach through any of our systems, but are taking your posting as an opportunity to a do a general review. If we do find something, I'll let you know.

Finally, from a spammer's perspective, Instructables' total email database is relatively small, so we, fortunately, tend not to see that many of their resources directed against us. And no, the machine with the email database is not sitting on a user's desk.
BobCat (author)  ewilhelm3 years ago
I was mildly concerned about this matter [enough to write it up so others could learn from it], but now I am mildly upset. You've known about this for months, during which time I've gotten dozens of email newsletters, and read many instructables and forums, but you never mentioned it?

That is no way to build trust in a community.

Right now, there are spammers using the addresses of members in the From: line of spams. That in fact was why I looked into this is in the first place, I got a reply to my instructables address from a spam target's server.

At least most people now know a <a href=""> joe job</a> when they see it. Some people still don't know, though, and send angry mails to an innocent.

Continue to use your "forgot my info" techniques, but always  give the message "If the address is in our database, you will receive a reminder in your inbox shortly". Don't forget, I not only now know the real names of those members, I know they have catch-all set on their domains, and thus could hammer them with unblockable emails. This is info I should not have been able to easily find.

"That is no way to build trust in a community."

I couldn't agree with you more.
BobCat (author)  BobCat3 years ago
By the way, could you fix that linking problem? I see it in comments, forums, and instructables. I saw a complaint in a forum, too, after you introduced the new submission process.
rachel3 years ago
It's also worth it to explicitly state that we have no reason whatsoever to believe that any of Instructables' machines have ever been compromised. And iContact (as well as our current newsletter provider Streamsend) do not have any user information other than email addresses. As Eric stated, we do take our users' privacy very seriously. Please check our Privacy Policy for our full disclosure on the subject. And do continue to give us your feedback!
archdave3 years ago
I also use this method and have gotten spam via Instructables.

P.S. I said it nicely.

Get More Out of Instructables

Already have an Account?


PDF Downloads
As a Pro member, you will gain access to download any Instructable in the PDF format. You also have the ability to customize your PDF download.

Upgrade to Pro today!