How did spammer get usernames and emails

By the way, our email addresses are not [email protected].

This information is pubic domain and isn’t considered part of security, but what specifically showed you they had your email address?

• This reply was modified 7 years, 2 months ago by Andrew Nevins.
• This reply was modified 7 years, 2 months ago by Andrew Nevins.

They sent the emails to each of us at our non–ourdomain addresses: the ones with which each editor’s account was created.

What do you see if you use

https://example.com//wp-json/wp/v2/users

Interesting! I get a list of the authors: name, slug, and URL to list their posts. No email, though.

You can disable that via an option in WordFence.

Thanks — I just installed Wordfence: quite impressive.

Jumping in here to mention that I also got this password reset mail. The mail was sent from my site and via my mailserver. But the Emil contained the same .org.au domain/sender as OP here got, how did that happen?

I have a client who is also receiving (unsolicited) password reset emails from that address. (I am looking into the headers to try to figure out if it originated from our server or not.)

If this were a phishing attack, wouldn’t the reset links go somewhere else? My concern is the password reset links look correct. So if this is spam/phishing, what is the purpose? If not, how did that email address get in there? And why are these emails being triggered?

That was a question I had, too. I guess they expect some recipients to reply instead of clicking the link – or maybe to do so after the link messes up one’s login, which I suspect it would.

Also, although the X-PHP-Script header indicates the originating script as being at plus.org.au, the email was sent from our server.

The email is indeed the standard email for a WordPress password reset. Someone can attempt to log in with your username and then make the request, and that is exactly the email you would be sent. But the originating script would be from your domain, not, eg, plus.org.au (which is the long inactive domain of the Australian Labor Party’s Progressive Left Unions and Sub-branches; it now returns “Bandwidth Limit Exceeded”). (The X-PHP-Script–indicated IP address, however, is that of the Ban Righ Centre at Queen’s University in Kingston, Ontario.)

So how did the spammers get our account info, including emails, onto their server(s)?

I have analyzed my logs and the suspicious traffic is nothing more than this:

130.15.170.138 - - GET /category/web/twitter HTTP/1.1" 301 493 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0"
130.15.170.138 - - "GET /category/web/twitter HTTP/1.1" 200 84889 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0"
130.15.170.138 - - "GET /wp-json/wp/v2/posts/?per_page=100 HTTP/1.1" 200 325371 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
130.15.170.138 - - "POST /wp-json/wp/v2/posts/644 HTTP/1.1" 400 3846 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
130.15.170.138 - - "GET /wp-json/wp/v2/posts/1231 HTTP/1.1" 200 7540 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
130.15.170.138 - - "GET /wp-json/wp/v2/users HTTP/1.1" 200 4322 "-" "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"
130.15.170.138 - - "POST /wp-login.php?action=lostpassword HTTP/1.1" 302 3655 "-" "-"

The several emails that I received indicated several different originating IP addresses, so they are probably random and spoofed.

Has anybody figured out what would actually happen if one were to click on a link? The links seem totally correct, same structure as a legit password recovery links. Seems like the spammers could only do something nefarious from them if your site were actually hacked already.

I suppose this could just be a trial phishing run, maybe they will swap out malware links later.

Client is now getting the fraudulent password resets from ‘[email protected]’