I got the e-mail about eBill, but certainly no CSV attachment. It was only
sent out to business customers, apparently.

From the sound of it, it was the username and password on the eBill system
that was in the file, NOT anyone's internet account details.


Cheers,

Chris

With my e-bill email I received the attachement thurs.csv.

My details are not on the list, therefore I am guessing that the same attachement was
'stuck' on many seperate email runs.

There are 3,681 rows in the csv (there is no header row) with the following columns:

1. Demon account number
2. Business name or the word '(null)'
3. First name
4. Surname
5. An email address
6. A telephone number
7. The word 'YES'
8. A two digit number 16 through 22
9. The e-bill user id
10. The e-bill password

These are the email headers:

Return-Path: <***@demon.net>
Received: from punt3.mail.demon.net by mailstore
for billing@[redacted].demon.co.uk id 1MqLQB-4HZVbs-02-ChQ;
Wed, 23 Sep 2009 06:33:47 +0000
Received: from [194.217.242.245] (lhlo=lon1-hub.mail.demon.net)
by punt3.mail.demon.net with lmtp id 1MqLQB-4HZVbs-02
for billing@[redacted].demon.co.uk; Wed, 23 Sep 2009 06:33:47 +0000
Received: from [195.173.1.1] (helo=microgenebilling.com)
by lon1-hub.mail.demon.net with esmtp id 1MqLQ9-00068m-Ie
for billing@[redacted].demon.co.uk; Wed, 23 Sep 2009 06:33:47 +0000
Received: from [10.231.192.28] (HELO wsmail01)
by microgenebilling.com (CommuniGate Pro SMTP 4.1.6)
with ESMTP id 17179279 for billing@[redacted].demon.co.uk; Wed, 23 Sep 2009 07:32:43
+0100
Message-ID: <413-***@wsmail01>
Organization: Demon e-Bill
From: "Demon e-Bill" <***@demon.net>
To: "billing@[redacted].demon.co.uk" <billing@[redacted].demon.co.uk>
Subject: Welcome to Demon e-Bill
Date: Wed, 23 Sep 2009 07:32:43 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_01BC2B74.89D1CCC0"

I registered an email address with the original c-bill of the form billing@

Just had an email from Demon with a .pdf attached which was an FAQ about
this. Don't know why they sent it to me though. here's the text of my reply:

-------------------------------------------------------------------------
Hi

In April 08 I received a letter from you telling me about the new C-bill
system, which said 'You may recently have received correspondence and
log-in details for the launch of C-bill..'. In fact I had no
correspondence and received no log-in details. The letter told me I
could opt out of paperless billing by emailing ***@thus.net and
I duly did this (email sent on 6-5-08) but had no acknowledgement,
despite specifically asking for an ack to be sent.

I did receive and pay an paper invoice dated 16th April 09 for 12 months
internet access.

On 10-9-09 I had an email with the subject 'As easy as A, B, E. We are
changing C-bill' which said:

'As a customer who has already signed up for online billing on the
C-Bill platform, you will shortly receive an email informing you of the
simple steps needed to activate your e-Bill account.'

I have not signed up for C-bill, I asked to opt out from it, and I've
not had anything about activating it.

This morning I had another email, subject 'Demon e-billing update' which
had no text at all in the body, but a .pdf attachment which starts out:

'Q & A

Q. What details of mine were sent to other Demon customers?'

Which left me quietly horrified, as I knew nothing about a security
cock-up at Demon up until that point. Some covering text (at least)
might have been a good idea.

I don't know what you think the billing arrangements are for this
account, I don't wish to use C-bill, E-bill or even Z-bill, I just want
you to send me a paper invoice (like all our other suppliers do) once a
year which I will then pay. If you want things to work differently then
you'd better let me know, before the next payment is due.

Thanks