This all sounds fairly terrifying. But the worst that may come of it is a sneakier and more sinister version of spam, security experts say.
Since the hacker, according to Epsilon, lifted only e-mail addresses and names, there's little fear that identities could be stolen and bank accounts drained because of the huge leak of information.
What security experts do worry about, however, is a malicious form of spam called "targeted phishing" or "spear phishing." These terms refer to fake e-mails that try to look real because the scammer knows something about you.
Say you had signed up to receive marketing e-mails from Kroger, which is a major U.S. grocery store chain. If your e-mail address and name were stolen as part of the recent security breach, a scammer, knowing you sometimes get e-mails from Kroger and probably wouldn't be suspicious of them, could design a fake e-mail that looks like it came from Kroger. Such an e-mail might ask you for sensitive information, like a Social Security number or bank account number.
If you divulged that kind of personal data, you could become a victim of identity theft.
"Put on your thinking cap before you give anyone sensitive information like a password or social security number online," writes the blog TechCrunch.
SecurityWeek, which has an up-to-date list of companies it has confirmed are part of this e-mail leak, says this is still cause for alarm.
"Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands.
"Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher 'hit rate' than a typical 'blind' spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate."
