Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservationshad been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all . Marriott sent its notification email from " email-marriott.com ," which is registered to a third party firm, CSC , on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate . In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.
Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned , posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr , who works at security giant FireEye, registered the similarly named " email-mariott.com " on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.