Solved Piriform CCleaner email about MoveIT data leak

Senecio · Oct 25, 2023

I just received this email:

Information about the MOVEit vulnerability

We’re reaching out as some of your personal information such as name and contact information has been exposed on the dark web. We take the safety of our customers extremely seriously, and we want to be sure you are aware of the potential impact and how to best protect yourself.

Earlier this year many companies were impacted by the MOVEit vulnerability. As a user of the software, we acted immediately to protect our systems and investigate the potential impact. We recently discovered that as a customer of CCleaner, some limited personal information of yours was exposed on the dark web. The information is primarily limited to name and/or contact information, as well as information on the product you purchased from us. No banking details, credit card numbers or high-risk data such as log-in information or account details were taken.

Naturally, we take any data exposure very seriously. As a valued customer, we would like to offer you BreachGuard for additional dark web monitoring, free of charge, for 6 months. BreachGuard helps monitor for data breaches, personal information on the dark web, and can give you access to privacy resources as applicable in your region. We will send details of how to install BreachGuard in the coming days, so please keep an eye out for those instructions, which we will send to this email address.

Please stay vigilant against potential phishing threats, as more commonly available personal information, like your name and contact information combined with purchase information, can be engineered to phish for high-risk data. You can learn more about how to best protect yourself here:

Thank you for your continued support. Stay safe and keep an eye out for your instructions to install BreachGuard.

Your CCleaner Team

I find CCleaner very useful and would prefer not to stop using it, but I'm really doubtful about installing BreachGuard. I'd be interested in your thoughts on this matter, and what steps I should take to protect myself against identity theft.

John

IanMosley · Oct 25, 2023

Are you sure this email is genuine? I've not received any communication from Piriform, other than the usual hype about a new release of CCleaner.

You've removed the link - quite correctly - so I'm unable to pass an opinion on it's validity.

Whenever I personally get emails of this kind, I check the email address in the body; if it looks at all suspicious, I immediately delete it.

glasskuter · Oct 25, 2023

I wouldn't use BreachGuard either. I use the free version of Ccleaner so they have no personal data of mine but even if I used the paid version, I wouldn't stop using it. Your data is already out there. My personal information has been compromised twice (that I'm aware of), once when our local hospital was compromised and another when one of the biggest hospitals in Dallas got hit. There, too, I was told the only thing that was stolen was my name, phone number, and email. The only repercussions I've seen from it was more junk mail. I created a new email address and left the other one to handle all the junk.

It's scary to hear "your information is on the dark web" but folks don't understand one's info is on the dark web anyway. It doesn't take a breach to put it there. So if you've ever signed up for a drawing, used your email to login to a site, purchased on the web, etc, your info is out there.. Mailing lists are sold and bought by the droves every single day ..

Senecio · Oct 25, 2023

IanMosley said:
Whenever I personally get emails of this kind, I check the email address in the body; if it looks at all suspicious, I immediately delete it.

The email addresses certainly look valid, however I'm not about to take any action based on that email, other than asking the question here!

If it is the case that "Piriform" aka Avast has been hacked, this would be the second time that has happened. It doesn't exactly inspire confidence in them as an antivirus software company.

WAI · Oct 25, 2023

I'd spam the Mail. That company has become a whatever

Senecio · Oct 25, 2023

@glasskuter Thanks for the reassurance! I did find a similar comment on the BBC web site which essentially said that the hackers are mainly interested in making money from commercial companies, and not the small guy. They did also say that one needed to be extra careful. Perhaps the most worrying comment I have seen is on the Experian web site: What You Need to Know About the MOVEit Data Breach - Experian but I guess they have a product to sell. (They were implying that bad actors could use this data to apply for credit using your details, and that one should 'freeze one's credit')

Senecio · Oct 25, 2023

WAI said:
I'd spam the Mail.

I don't suppose I'll be doing that, it sounds like a lot of effort for no reward.

ZGold · Oct 25, 2023

Senecio said:
I don't suppose I'll be doing that, it sounds like a lot of effort for no reward.

I think they meant add it to your spam list, not spam the email with messages...

FWIW, I had an invoice/offer through paypal that raised my red flags and came from an @email.ccleaner.com address, which support@ccleaner.com confirmed was not from them (purchases and confirmations being handled by their cleverbridge.com domain), so I've been reporting all emails from the @email.ccleaner.com domain to report@phishing.gov.uk - including the one that I've just had for BreachGuard

antspants · Oct 25, 2023

Rare to see a company of this size not have a link to view an email online. A search for;
“Piriform; Information about the MOVEit vulnerability“
”CCleaner; Information about the MOVEit vulnerability“
yield nothing.

Wisewiz · Oct 25, 2023

I don't think it's legitimate. To begin with, they used a Subject line from a stock email promo.
"Dan, Driver update recovery improved in CCleaner v6.14!"
Then, they began the message with

Please do not reply to this email as the mailbox is not monitored.

Information about the MOVEit vulnerability

That looks like a fishy combination of features. I'll look at the CC discussion forum. If it's either real or phony, there'll be something on the forum about it.

Wisewiz · Oct 25, 2023

Okay, one of the mods at the CC discussion forum has this to say in response to a query about the legitimacy of the email:

That's definitely a scam email. (Do you even have the MOVEit Transfer app on your computer? Unless you are a major organisation/business user then I'm guessing not).

For one thing CCleaner is not an antivirus so it would not even see such a ransomware to warn you about it.

Don't click the link - Delete the email.

Then use haveIbeenpwned to check if/which of your email addresses have been harvested by the bad guys who sent you that email.

IanMosley · Oct 26, 2023

Senecio said:
The email addresses certainly look valid, however I'm not about to take any action based on that email, other than asking the question here!

i'v now received my own copy of this email.

However, I used Dashlane (my password manager) to check for any information breaches -

which came back with no recorded information.

kelper · Oct 26, 2023

Isn't email.ccleaner.com under the ccleaner.com domain? If you hover over the sender's email, do you see the real address at the bottom of your screen? Could some of the letters in email.ccleaner.com be from a different langauge? You might see this if you zoom in.

Ghot · Oct 26, 2023

I got a snail-mail letter saying the same thing about the county I live in, and the MoveIt software.
They offered two years free identity protection.

I figure giving my info to yet another organization, won't help to protect my data.

Senecio · Oct 26, 2023

Wisewiz said:
Okay, one of the mods at the CC discussion forum has this to say in response to a query about the legitimacy of the email:

That's definitely a scam email. (Do you even have the MOVEit Transfer app on your computer? Unless you are a major organisation/business user then I'm guessing not).

For one thing CCleaner is not an antivirus so it would not even see such a ransomware to warn you about it.

Don't click the link - Delete the email.

Then use haveIbeenpwned to check if/which of your email addresses have been harvested by the bad guys who sent you that email.

It seems that a number of CCleaner users have now also received this email. I'd be interested to know whether anyone who doesn't have CCleaner has also received it, otherwise it does suggest that maybe Piriform/Avast does have a problem regarding leaking customer details.

Note that the email is not telling me that I have that ransomware, but that Piriform/Avast has, and so has leaked my personal data.

I have deleted the email. I already know that my email address (associated with a password which I no longer use) has been on the dark web for a decade or more. I'm sure that some of the junk mail I get relates to that.

John

ZGold · Oct 26, 2023

kelper said:
Isn't email.ccleaner.com under the ccleaner.com domain? If you hover over the sender's email, do you see the real address at the bottom of your screen? Could some of the letters in email.ccleaner.com be from a different langauge? You might see this if you zoom in.

I assume not, but I do probably have more cynicism than actual knowledge :eyeroll:

I get no different email pop up on hovering over the sender's email and links in the email are to https email.ccleaner.com addresses followed by something that looks encoded (groups of letters and numbers separated by hyphens), and it definitely doesn't look like there's any foreign characters.
Like I said, I've had a confirmed fraud attempt through PayPal using this sender email domain, and it was a flat 'no that's not us', not 'no, that's someone spoofing our email', so

kelper · Oct 26, 2023

OK. Just because Piriform did not send the message does not prove that the email address is not spoofed and would actually go somewhere else.

Interestingly, the email address news@email.ccleaner.com IS valid, as seen on their webpage.

Whitelisting Email Address

www.ccleaner.com

ZGold · Oct 26, 2023

Fair, and interesting to know, but given my track record with communications from (or purporting to be from) it, not an email address I'm going to be trusting soon.

A Guy · Oct 26, 2023

https://twitter.com/x/status/1717291454341750929

The Cyber Express Team tried to reach to contact CCleaner’s officials to authenticate the claim of a CCleaner data breach. At present, we are eagerly anticipating a response from the CCleaner team.