Monday, December 13, 2010

Securely Storing Opt-Out Email Addresses

Walgreens was just compromised and an attacker got the master list of email addresses that also included email addresses of people who had opted-out of receiving Walgreens emails. The attacker promptly sent phishing attacks to all of the email addresses in an attempt to elicit private user data.

This brings up an interesting design issue.  On one hand you need to store the email addresses of people that have opted out of email, otherwise you may inadvertently re-add them in the future from other sources or users actions, but on the other hand, storing all of these email address is increasing the damage if the list is compromised.

Solution?  Hashing.  For every email address that is in your "opt-out" list, simply store the hash of the email address instead of the actual email address.  When you get a new email address compare the hash against your list of the "opt-out" email addresses. If you have a match, then its an opt-out. Throw away that email address.  For new opt-outs, simply add the hash of their email address to the "opt-out" hash store and discard the plain text email address.

This way you get the benefits of not inadvertently re-adding users that have previously opted-out while also ensuring that a compromise won't disclose the huge number of people who really don't want any of your emails anyway.

Note: Don't hash your "opt-in" email addresses or your normal mail functionality won't work at all.

-Michael Coates - @_mwc