So, a while ago, I bought a domain name (which will be aliased as "mydomain.com" for the rest of this post), and whenever a website or store (e.g. Home Depot) asks for my email, I give them my email as that location at my domain name (e.g. homedepot@mydomain.com). This would let me know when a given place sells my information, since I'd start getting emails to homedepot@mydomain.com from people other than Home Depot.
Well, today, something unexpected happened. Perhaps because my email had the name of the place (aliased as "pizzaplace" here) in it, I received an email. Two emails actually. Copied below (unedited):
Dear HungerRush,and
You cannot ignore all my requests and expect me not to take malicious actions. You still have time. Every restaurant and customer of said restaurants' data which is in the millions is in jeopardy here and I can't even get a response back. Not to worry, there's still time left.
You know where to contact me. (p********p****@protonmail.com)
Dear HungerRush,
You cannot ignore all my requests and expect me not to take malicious action. You still have time. Every restaurant and customer's data is in jeopardy here, and I can't even get a response back.
What happens next is all up to you. I would assume you're a company that wouldn't let millions of your consumers unwillingly have their full names, emails, passwords, addresses, phone numbers, dates of birth, credit card information, and much more exposed over such a small amount of money.
You know where to contact me (p********p****@protonmail.com) or support.hungerrush.com (7526265).
The emails have the subject lines "Important Security Concern", and "Security Concern Follow-Up" respectively and arrived in my inbox within 3 hours of each other.
In order to remain anonymous, it seems the blackmailer left out a "reply-to" field in the emails, and filled the "from" address as "support@hungerrush.com" for the first email and "2019@hungerrush.com" for the second. My email software is telling me that these email addresses are cryptographically verified with valid DKIM signatures, which potentially means the hacker not only got large amounts of user data, but was also able to either alter their DNS records or get access to their private signing key.
I have no way of getting in contact with the blackmailer to tell them they're emailing the wrong address. The emails also indicate that HungerRush has already received original blackmail.
Regardless, HungerRush either had a big data leak, or for some reason they and pizzaplace are pulling a very elaborate prank on me. I'd bet on the former.