Tesla-box: Anyone else receiving these spams?

[AnOutsider]

Suggest you mark it as junk and not worry about it.

I, for one, would like to know how the address was obtained so that I can take steps to prevent it happening in the future.

 

[DrumCoder]

Thankfully for me, Gmail already classified it as spam before I even saw the first email. I only saw it because I periodically look in there to see if there are any false positives.

They could have gotten it via a combination of means, probably partly my theory, partly from the DNS hijack (although I've never sent them an email, much less during the time of the DNS hijack), etc. I know that the sales side of Tesla is run off of Salesforce and they take security pretty seriously on their platform.

 

[msnow]

I, for one, would like to know how the address was obtained so that I can take steps to prevent it happening in the future.

I totally understand you wanting to prevent it but as a 20+ year security professional I can tell you that you'll be wasting cycles. ~90% of all emails are spam (most, thankfully, are filtered before you ever see it). Short of changing your email address, and never using it on web sites it's unfortunately something we have to live with.

 

[thecloud]

There's a similar thread going on over at the TM forums.

The really interesting part of that thread: people are claiming that they got the spam on unique purpose-created email addresses that have never been used for anything except their MyTesla account. The address is also not the same as their account name, which goes against the theory that the spammers harvested account names from forum posts and then tried tacking on a variety of service provider domains.

One of the TM posts hits this nail on the head:

This concerns me, because if I had evil intent and a list of email addresses tied to TM accounts, I'd start throwing dictionary passwords at them to see how many logins I could get. A login gives me the GPS location of a tesla and a way to start it.

I'm sure Tesla is already doing a security review, but it's not a bad idea to remind us all to change our MyTesla passwords periodically.

 

[AnOutsider]

I totally understand you wanting to prevent it but as a 20+ year security professional I can tell you that you'll be wasting cycles. ~90% of all emails are spam (most, thankfully, are filtered before you ever see it). Short of changing your email address, and never using it on web sites it's unfortunately something we have to live with.

I think we're missing each other here. I'm trying to figure out how the spammer got my info so that that specific hole can be closed. I actually get very little spam at this address, but that's not the point. He found a way to gain access to my email, and I'm curious how (both so that I can correct it and satisfy my curiosity).

I'd also be ticked if Tesla was the source after there was such a big deal about them having the hacker princess.

 

[msnow]

I think we're missing each other here. I'm trying to figure out how the spammer got my info so that that specific hole can be closed. I actually get very little spam at this address, but that's not the point. He found a way to gain access to my email, and I'm curious how (both so that I can correct it and satisfy my curiosity).

I'd also be ticked if Tesla was the source after there was such a big deal about them having the hacker princess.

Yes I understand what you're trying to do but figuring out how spammers cull email addresses and then stopping it is a problem security scientists have been dealing with for decades but it doesn't hurt if you have the time to spend on this. By the way the security lady you mention did a pretty good job locking down the car.

 

[thecloud]

I'd also be ticked if Tesla was the source after there was such a big deal about them having the hacker princess.

She left Tesla about 9 months ago, and I'd be very surprised if she ever had anything to do with the website or customer database aspect of things.

If the TM forum posters are accurate and their email addresses were unique to MyTesla, then the only question seems to be whether the entire database got leaked here. It appears to have been obtained by a third-party Chinese company, so one could potentially draw an inference about who benefitted from this data, or who could make money by reselling it to others. However, if password hashes were also leaked, there are very disturbing implications about how that data could be used.

 

[EVenthusiast]

So did anyone with a Tesla account not get the email? I do have an account, but didn't get any of these emails.

I don't have a Tesla vehicle either.

 

[bonnie]

I have a Tesla account, first created in Feb 2011.
I have two Tesla vehicles.
I didn't receive the spam emails.
I checked my spam filter, nothing there either.
I'm in the US.

 

[green1]

So did anyone with a Tesla account not get the email? I do have an account, but didn't get any of these emails.

I don't have a Tesla vehicle either.

I did not get the email, however there are a few possible reasons why:
-my spam filter might have stopped it.
-I'm not in the US, so maybe they targeted a certain market
-my account was only created in September, so the info could have leaked before then.

 

[thecloud]

Based on the reports so far, there seem to have been 2 separate targeted bulk mailings, one on November 26, and one on December 23. I did not get the email in the first round, but I did in the second. Not sure what if anything can be assumed from this, except that perhaps the list was split up.

 

[Chris TX]

My wife's email address is the primary on the Tesla account and she got this spam last month. It was already in the Spam folder, but she's not on this forum nor was ever on the Tesla Motors forum. She has also never bought anything from 3rd party vendors for our Tesla.

What the hell is going on? Placing a call to Tesla, tomorrow.

 

[GreenT]

Just got an ominous email this morning that Google marked "suspicious" about tslabox.com (missing e)

Did not click on any links but sounds like the same outfit.

I stupidly clicked on Delete forever so I cannot post any of its verbiage.

 

[bmah]

I got one of these today. They must have improved the product because it's now the "Tesla super storage box" (emphasis mine).

The email address that it came to is the one I use for MyTesla, TMC, and pretty darn near everything else.

I have this vague recollection of getting something like this before, like maybe in one of the mailings discussed upthread. Am I concerned? Not really...too many other things going on in my life to worry about this!

 

[Shawn Snider]

Sounds like they were hacked.. Feels like China.