Update: This now happened the second time. This time, I didn’t delete the spam right away but took screenshots. I have asked Eweka.nl for comment again, but they have not responded in over 48 hours yet, nor have they ever responded to my inquiries in July 2017. At this time, it is unclear if they sold your personal information or if they got hacked, but not putting out a PSA in the latter is gross negligence.
When I switched to a new maildomain, I implemented personalized addresses for every service that I sign up for. This way, I can keep track who sells or loses my information and as an added bonus, I can easily block based on the mail header, even when I am spammed via bcc (thanks to “Delivered-To”).
The past days I have received potency-pill-spam to 4 addresses I used for signing up with this service in the last 4 years, give or take. The addresses are
See for yourself in this screenshot:
All these addresses have received the spam at about the same time, so I am pretty confident, that this was no coincidence (it is very unlikely a spammer would guess correctly how my mail setup works and guess the addresses I have used).
Eweka was not yet available for a statement on this issue, so we don’t know if they had a database breach or sold the addresses. However, at this moment, it is better you treat your Eweka password as compromised and change it.
Congratulations to Eweka for being the first company to lose my new address!