Winnipeg Garbage and Recycling Apps Leak Email Addresses After Developer Hacked [u]

Two smartphone apps used by residents in Winnipeg were hacked in a data breach which resulted in 3,500 users potentially seeing their email addresses leaked, reports the Winnipeg Free Press.

Winnipeg city hall confirmed the apps My Waste and Recycle Coach, which help homeowners keep tabs on garbage and recycling pickup days, did experience a data breach.

Screenshot 2018 04 19 14 24 52

“The only information that was breached was email addresses, and that breach has been contained. We continue to work with Recycle Coach/My Waste to address the breach and ensure that customer email addresses are protected in the future,” the spokeswoman said in an email to the Free Press.

“We would like to reassure members of the public that the city is committed to protecting their privacy and can confirm that there has been no breach of personal information held by the city.”

Recycle Coach and My Waste are owned by Toronto-based Municipal Media. Users were informed on Tuesday the company’s databases were breached and some user emails may have been leaked.

Municipal Media has a contract with the city to provide residents with garbage, recycling and yard-waste collection schedules.

A City of Winnipeg spokeswoman said the city has a contract with Municipal Media to provide customers with a garbage, recycling and yard-waste collection schedule, as well as information on what can and can’t be recycled.

Screenshot 2018 04 19 14 24 46

Municipal Media Inc. president Creighton Hooper told CTV Winnipeg the company used a third party service to send out email notices to users subscribed to the app. The email account for that email service included emails for 55,000 people around the world—and was hacked on April 16th.

Email addresses were stolen, but no other info was compromised. “There were no names associated with them, no locations, and of course no passwords or any other personal information,” said Hooper.

Users of both apps are being told to not click on suspicious links and to be on the look out for possible phishing emails which may try to pose as Recycle Coach and My Waste.

Did you get an email notifying you of your email address being compromised by this data breach?

Update April 20, 2018: Municipal Media reached out with the following statement, while they also asked us to change our headline because they did not believe it was factual. They said their apps were not hacked, but rather one of their accounts used to access MailChimp. For now, the title over at the Winnipeg Free Press still reads “Garbage, recycling pickup apps hacked for email addresses”:

Approximately 55,000 email addresses were stolen from our MailChimp account on Monday, April 16 around 6:15 pm ET. The list contained subscriber email addresses only – no names, no location (not even country), and no passwords. We contacted all residents within 24 hours to advise them of the theft.

None of our internal systems were affected in any way. The emails were stolen from an external service (called MailChimp) that we used last December to advise residents they are now able to get recycling information through Google Home and Amazon Echo (Alexa).

Other than to be extra vigilant about spam messages, residents don’t need to take any additional steps. We don’t require passwords, so there’s nothing to change. Any reminders they have set up will continue to be sent to them.

To the best of our knowledge, there has only been one spam message sent. It contained the subject line “Your Exclusive Recyclecoach Deal With 95% Discount! ??”.

We currently have protocols in place to ensure incidents like this don’t happen again. We now use multi-factor authentication and 1Password for all internal and third-party services, including MailChimp.

Residents who have contacted us have been, for the most part, overwhelmingly understanding and helpful. To those who were impacted, we apologize.


P.S. Help support us and independent media here: Buy us a beer, Buy us a coffee, or use our Amazon link to shop.