A few years back I bought a marine VHF radio for recreational boating use, and requested an MMSI number through one of the private providers, as directed by FCC – it’s the last one, usps.org (not related to postal service). Site required some basic personal info like name/address, and I used unique email address and password. Since my MMSI number is tied to that site I kind of have to keep using that site.
This year I started receiving extortion scam emails to that address, which included my password in plain text (to prove that they “hacked” me). You know, those email that ask you to send bitcoins to avoid a recording of you being shared with friends. Due to using a unique email and password, I’m 100% certain that the data was leaked from usps.org.
On the website I could see two issues right away (no usage of https, and displaying plain text passwords when you’re logged in). This leads me to believe they don’t take security seriously at all and there are likely tons of backdoors to pull their user data.
I have contacted all admin emails I could find on usps.org, described the situation and asked to address security issues but got no response. Interestingly enough the site did start using https a few months after my email. I changed my email and password on the https site, and now I’m getting megatons of spam on the new email address.
What can I do to get the site owners to take action? My main concern is that it’s not just a random site, but it appears to have some affiliation with FCC and US Coast Guard. And since their audience is non-techy, I assume scammers are making a good profit – bitcoin wallet numbers I received to send ransom to usually had multiple transactions to them already.