back to article Hungryhouse resets thousands of customers' passwords

Online takeaway service Hungryhouse has reset the passwords of thousands of its customers following an apparent data breach at a third party hosting company. Scott Fletcher, chief executive of Hungryhouse, said: "We had no affiliation with the web hosting company that was hit by a data breach. But when our head of security …

  1. Your alien overlord - fear me

    I like mike's tweet.

  2. Anonymous Coward
    Anonymous Coward

    Not surprising

    Hungry Houses' staff have seemed pretty technically inept in every communication I've had with them, so this doesn't really surprise me.

    They also run a lean staffing policy, so the lack of phone response is standard for them as well. :(

    1. wolfetone Silver badge

      Re: Not surprising

      Why would you think someone who actually has a proper IT skill or knowledge would work for a struggling online takeaway firm for minimum wage?

      Peanuts + Monkeys = Exactly what you'd get.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not surprising

        @Wolfetone; You seem to think that Hungryhouse itself is a takeaway firm. It isn't- it's a platform/website acting as an intermediary ordering service on behalf of multiple third-party small takeaway services, a la "Just Eat".

        Not that I'm defending their service- I've no idea if they're good or bad since I've never used them personally- but I'd assume the "minimum wage" comment was also pulled out of your nether regions...?

        1. wolfetone Silver badge

          Re: Not surprising

          "but I'd assume the "minimum wage" comment was also pulled out of your nether regions...?"

          Well it worked for you didn't it?

  3. scottf007

    Very disappointing

    As a long time register reader, and the CEO of hungryhouse, I can say that I am very disappointed by The Register - biting the hands of the facts.

    They called me after publishing this post.

    We have had no data breach.

    We reacted to a data leak by 'oooWebhost'. http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/

    We have no affiliation, or relationship to them. When the customer list was leaked, we compared this list to ours. If there was an email address match, we deleted the customer's payment information and reset the password as a precaution. We took this precaution after the Talktalk leak etc.

    This is sensationalist reporting, and has very few facts.

    Scott Fletcher

    CEO hungryhouse

    1. Oh Matron!

      Re: Very disappointing

      Scott,

      Firstly I'm impressed with the response. Some of the criticism still stands, However, if true.If you're going to use social media as an outlet for both news and support, make sure it's staffed by people who are kept abreast of news and facts, rather than kids who have the largest number of instagram followers.

      However, I echo your disappointment. The Register has become the Daily Mail of tech websites

    2. Tom 38
      Thumb Up

      Re: Very disappointing

      On the plus side, this sort of pro-active data handling actually makes me want to register with hungryhouse.

    3. Dr Who

      Re: Very disappointing

      If indeed you had no breach (although I find your explanation for the resets somewhat implausible) this is still an object lesson in the art of communicating with your customers whilst you are undertaking a seriously disruptive precautionary action.

    4. Anonymous Coward
      Anonymous Coward

      Re: Very disappointing

      So essentially what you're saying is that none of your services or client data are on 000webhost but when your client's email addresses turned up in a list of those affected by a hack of their services you took the initiative and reset their passwords/deleted payment details in case they'd recycled passwords?

      If that's the case, I think perhaps an email to the potentially compromised accounts would have been a better response,

      As it stands, you're also guilty of sensationalism because you should have no way of knowing if those clients had recycled passwords.

      Unless you're telling us you store passwords in plaintext?

      1. Electron Shepherd

        Re: Very disappointing

        you should have no way of knowing if those clients had recycled passwords... Unless you're telling us you store passwords in plaintext?

        If the compromised web host leak included email / password pairs, anyone can see if one of their own customers is reusing passwords, even if they themselves only store hashed passwords. You simply need to put the leaked password through your hashing algorithm, and see if you get the same hash as you have for that email address.

        1. TRT Silver badge

          Re: Very disappointing

          "Your password has been set to ineedabalti. Please change it immediately after logging in."

        2. Sgt_Oddball

          Re: Very disappointing

          Which would be really slack of those hashing not to do it properly.

          Password + email ain't that great but add another value in (makes no difference to the length of the hash just a different value) say a web domain/ip/name of the company /Devs first pet and makes rainbow tables useless to reapply to datasets elsewhere.

          It's just lazy if it's not included.

      2. tiggity Silver badge

        Re: Very disappointing

        An upvote, pretty much what I was thinking (though as has been pointed out can check password match (barring random hash collision) whilst having NON plaintext password storage)

        @scottf007

        Given that people often reuse passwords, I can see the concern that given a list of stolen emails & associated passwords from an unrelated site, then there is a chance thwt any users of hungryhouse in that list may be using the same passwords in hungryhouse.

        A good, non customer irritating response would have been to email those customers of yours and warn them, rather than pre-emptive password reset.

        Without a very clear explanation, many of your customers will have a WTF! angry response to (a potentially well intentioned or catastrophically arrogant depending on viewpoint) account lockout.

        I'm assuming a password reset on hungryhorse would need a whole lot of security questions answering & various hoops to jump through?

        If not a painful security exercise to rest password, then totally pointless to reset, as could reasonably assume a user has same password for their email provider as was on that hacked credentials list & thus the email account could easily be compromised & so a password rest would have achieved little

        As the forbes article you referenced mentioned, the affected hosting site did not verify email address registration, so (as Troy Hunt found) it was possible to sign up to the web hosting service using any random email address, so potentially a proportion of the "union" between your customer list & breach list, may not be a genuine match as possible the genuine email address owner never actually signed up to the web hosting service

        Plus, scottf007, the quote: "We deleted the customers payment information"

        Irretrievably deleted?

        So, the password reset customers also have to jump through the hoops of re-entering all their payment data .. cue even further disgruntled customers

        Why delete the payment data - surely you would have nothing on your financial systems in a form an attacker could use..

      3. Little Mouse

        Re: Very disappointing

        I'd say, in HungryHouse's defense, that they were stuck between a rock and a hard place in this situation. Realistically, what could they do?

        1) Do nothing? But it's a sure thing that many users DO recycle passwords - therefore if the email accounts had been compromised then their HungryHouse account could be wide open too,.

        2) Send an email to the affected users' email addresses? Maybe, but I know that any emails I get that tell me I've been hacked go straight in the bin. I don't even read them - life's too short. And let's not forget that these email addresses have been compromised - you might just be emailing the perp, not the victim.

        3) Take local action to make sure someone else's data breach doesn't cause problems in your own backyard? Well, that's what they've done, and they are now getting flack for it. It's disruptive - but seriously disruptive? C'mon...

        I'd say hats off for trying, but there's room for improvement.

        1. Anonymous Coward
          Anonymous Coward

          Re: Very disappointing

          If financial details are stored, like Just Eat, it's to pay for your takeaway so YES, they could fleece your card / account.

          Scott, well done for being proactive.

          Next time just deny everything like Talk-Talk and you'd still get the same response from the reg commentards

          Damned both ways

      4. Anonymous Coward
        Anonymous Coward

        Re: Very disappointing

        "As it stands, you're also guilty of sensationalism because you should have no way of knowing if those clients had recycled passwords."

        As someone who lives outside the UK, I'd never heard of HungryHouse before, so I suppose it's a case of "There's no such thing as bad publicity".

        But as another poster points out, given a plain text password leaked elsewhere, you can check to see if putting it through your one-way hashing algorithm comes up with the same result as held in your own database.

    5. Known Hero
      IT Angle

      Re: Very disappointing

      @scottf007

      Just wondering, I am presuming it was you who undertook the decision to reset people's passwords?

      If so, how much of that decision making process would you attribute to the ranting of commentards on here and if so are you wondering why now they are having a go at you for be too paranoid.

      You loose some and you loose some. I'm sure that's how it's meant to be written ;)

      but seriously, how much do you feel your decision (if it was yours) was influenced by reading the reg and its comments.

      1. This post has been deleted by its author

      2. AbelSoul
        Trollface

        Re: You loose some and you loose some.

        I'm sure that's how it's meant to be written

        Quite a loose grasp of how it's meant to be written, IMNSHO.

        1. TRT Silver badge

          Re: You loose some and you loose some.

          But the problem is that I now need to follow the password reset procedure which involves sending an email to my (compromised) TalkTalk email address, but the TalkTalk email servers are completely shitted out at the moment and are taking between 4 and 48 hours to receive and process email, so I can't reset my password because I'll never get the email.

          So I guess I'm having beans on toast this evening. #minifistpump

    6. Anonymous Coward
      Anonymous Coward

      Re: Very disappointing

      Don't know if the article has been rewritten; but it seems sympathetic to me. Also if you are going to take action like this; why not do it properly and check against these lists?

      https://haveibeenpwned.com/

      1. Mark 85

        Re: Very disappointing

        It would seem that https://haveibeenpwned.com/ is not a very well known website outside of some IT types. I kicked this to my department a couple of months ago as a help and only 5 out of approximately 75 people had ever heard of it and were happy to find out about it.

  4. Anonymous Coward
    Anonymous Coward

    Clearly a #minifistpump moment.

    1. TRT Silver badge

      I had a bit of a mini fist pump the other night... came way sooner than 45 minutes.

  5. Anonymous Coward
    Anonymous Coward

    I never liked them anyway...

    They occupy space at the top of search results making it difficult to find the number of my local takeaways. I prefer do a local transaction with local folk without involving a scalper who sits in the middle, adding nothing but inconvenience to a system that already worked.

    1. TRT Silver badge

      Re: I never liked them anyway...

      There's nothing here for you...

    2. Billa Bong
      WTF?

      Re: I never liked them anyway...

      You pride yourself on have a personal relationship with your local takeaways, but have to google their numbers...?

      A scalper makes something available that is not available from the official source at a heavily marked up price, which I think is inaccurate here...?

      You call HungryHouse a scalper, but presumably you use Amazon for purchasing items from time to time where eventually you'll be buying through Amazon from a 3rd party; are they scalpers also...?

      You don't have to use hungryhouse. Just keep the takeaway menus by your phone and dial them direct. No one is forcing you to use this service, nor post such a strange response to a technical article about proper online account security.

      Kudos to HH for taking precautionary measures on behalf of any customers you have that may have recycled passwords, even if the communication to those customers seems to have left a little to be desired among them.

      1. Blitheringeejit
        Megaphone

        @Billa Bong

        >You don't have to use hungryhouse.

        You don't have to use Amazon either, despite your presumptions. Boycott the tax-dodging slave-driving bastards!

    3. Tom 38

      Re: I never liked them anyway...

      Meh, that's just BS. Before hungryhouse and justeat came along, most of the takeaways, particularly the cheaper ones, round my way (East London) either didn't deliver at all or only accepted cash. Having a single payment processor for takeaways is a win for consumer trust, enabling more places to deliver to more people and employ more delivery drivers and staff.

      Similarly, TopTable can be seen as a parasite on restaurants, or a way that allows them to maximise their covers on a slow tuesday.

      PS: What's going on? What all this shouting? We'll have no trouble here!

  6. BenBell
    Pint

    Friday!

    Beer O'clock.

    On the upside, I have just registered with HH following on from this and will most likely be ordering a Pizza tonight :)

  7. Anonymous Coward
    Anonymous Coward

    Card details were obtained actually

    My wife had an unauthorised order placed on her hungryhouse account a few weeks ago, and the support team weren't very helpful and just said they had seen this happen before, there may have been a breach, and they've reset her password. Either this was unrelated, or in fact the breach being reported here did include enough information to hijack accounts and place orders.

    I also don't buy the "it is purely the hosting partner's fault". The application provider needs to take responsibility for the security of the customer data they hold. If they use a third party hosting provider to do so, it remains their responsibility to ensure the relevant infrastructure security services are in place.

    1. Blitheringeejit
      Pint

      Re: Card details were obtained actually

      > Either this was unrelated, or in fact the breach being reported here did include enough information to hijack accounts and place orders.

      Or her email and password were obtained from an unrelated breach of another system, and she used the same password for both..? Isn't that the point of this whole thread?

      And I can't see why you assume that her card details were harvested from HH, when all that happened was that her account was used by someone else to order food. Rider - I've never used HH so I don't know how their system works, but in most systems I HAVE used, if the customer chooses to allow the site to remember the card details, normally a login is all that's required to place an order, and the card details are not displayed in full when doing so. If I were criminally minded and got hold of someone else's card info with the intention of misusing it, I'd be buying something much more expensive than a takeaway.

      Why beer? Friday!!!

  8. Hans Neeson-Bumpsadese Silver badge

    Checks and balances

    Given that the point of HH is to get stuff delivered to your home, it would seem reasonable to have an initial check that if the order is for an address other than the customer's registered home address. If it's different, then do a quick check (e.g. call to customer's registered phone number) to confirm it's a genuine order (e.g. I'm using my account while at a friend's house) as opposed to shenaningans.

  9. scottf007

    Responses

    Hello,

    This will be the last comment on this thread from me, but just some answers to questions that were posted, roughly in the order they appear.

    Communication with customers: Nothing to say here, but this was poor. We could have done a much better job. The SMS people received was automatic, and was missed in our check list. People were only supposed to receive the email that went out.

    Password Reset: This takes someone maybe 30-60sec. Just a link and re-enter passwords, standard security practice currently.

    Payment Information: We store payment details as a token, and are PCI compliant, and are audited as such. We do not store customer payment information as anything but a token.

    Password reset vs customer communication: I decided to do this as this way we would know we have done everything we can to keep customers safe, which is a nice segway into the next point.

    Patterns of attacks we see: We see constant attempts to get into customer accounts through various methods. Most attacks have a user name and password already. They try specific combinations, and are not random - the attackers have lists of emails and passwords(only an issues if people use the same password as talktalk etc). We monitor attempts to login and ip addresses / sessions / device fingerprints etc. This is a game that all online companies face, and our job is to make this harder and harder, while keeping it easy for customers.

    Pain to order if you can not access your email: You can order as a guest any time from our website.

    Scalper: Restaurants pay us commission, and customers pay the same price as an offline order. If we find an error in prices, we change this immediately or take the restaurant offline.

    Card details obtained: This can not happen as we do not have the card details of anyone. Possibly if an account login and password was obtained it could be possible to place an order, similar to most online services. We are making this harder all the time as well, through fingerprinting etc.

    Checks and Balances: We are audited twice per year by an external security company. This includes penetration testing, code reviews amongst many other things. We implement all their recommendations as soon as we can. We also follow up to date security practices and try to ensure that we are at the forefront. One of these was to take the action we took today because of the patterns of attacks we see. We are not perfect, but take security very seriously, and try to constantly improve our processes and performance. We will continue this.

    I hope this helps. Thanks for all the notes and feedback.

    Cheers

    Scott

    1. Alfie Noakes
      Pint

      Re: Responses

      @ scottf007

      You are a member of the El Reg community, a CEO and someone who seems to know what he is talking about (in IT at least) - i salute you!

    2. Triggerfish

      Re: Responses

      Frankly I am more impressed by you going over the top with resetting the passwords etc. Than trying to hide it like most companies. Also in the long run less hassle resetting a password, than having to sign up to a credit reference agency and monitor your accounts.

  10. David Roberts
    Thumb Up

    Seems logical to me

    Details including email address and password stolen from another site: possible obvious risks :

    (1) Same email address and password used - so reset password as first line defence.

    (2) As above for email account at ISP - so email account may be compromised. So password reset using email address may be compromised. So delete payment details as second line of defence.

    Payments can then only be authorised by someone with email address and relevant card detail. This is the same level of checking as for a new account. So best efforts by the site to protect customers.

    This is obviously a pain for anyone who hasn't been compromised when their details were stolen but it seems to be a thoughtful and logical approach. Much more proactive than relying on the breached site to persuade all customers to change all their accounts (assuming that they can remember them all and can be arsed). This is a major benefit for this approach - dormant users don't get their account hijacked without them noticing and active users can easily reset their details. This gives me a lot of confidence in the IT awareness of this company. They just need a spin doctor to handle their social media.

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems logical to me

      I'm with you most of the way Mr Roberts, right up to the last line:

      "They just need a spin doctor to handle their social media."

      No, no and no again to spin doctors.

      Yes to better responses on-line and I think from Scott's replies that lesson might have been learned.

      But still no, no and no again to spin doctors.

  11. Stevie

    Bah!

    Good stable hygiene after horses long gone.

  12. Scyta1e

    Coincidence?

    I think there is possibly more to this than being pro-active I have personally had £160+ of orders placed on the 23th/24th of November.I contacted HH online on the 22nd after receiving what I hoped where spurious e-mails. Turned out they weren't, In total 11 different orders to different restaurants (and bizarrely 2 refunds) placed on the 22nd hit my account on the 23rd and 24th - including the refunds (all £16 of it)! I've only ever made 3 orders with HH twice in May and once in June of this year.

    The only reason I knew anything about it was that 2 of those orders where followed up by a rate your meal mail request. HH at this point have simply wiped by payment details, the account is still there pointing to some "other" e-mail address. The order history shows a set of orders placed in Birmingham when the delivery address is in Merseyside (and doesn't even have a house number). On the website it actually says the restaurants are outside the delivery area when you review the order. .

    Annoyingly for me it wasn't until the 24th that HH appeared to act and sent me a mail indicating the account was reset and I should sort out any issues with my bank.

    I'm hoping my case is isolated - hacked online accounts are an annoying fact of life. What concerns me more here is the complete lack of basic validation, multiple charges to a single payment in an evening, to several different restaurants, with invalid delivery address details in a geographically separate area. Come on HH you can do better than that, this is basic stuff..

  13. jnm8210

    Thank you Hungry House

    I am one of the twitter users quoted on the article & have registered here to reply to some of the comments. There were comms issues, yes, but Scott has accepted that & I am more than happy to accept them now that I know why.

    Having been very aware of my internet security after all the press reports & various emails from various companies INCLUDING 000webhost (whom I would ask why they still had my info after they closed down my account after no traffic for their prescribed period), I had signed up to a well known credit reference agency & they emailed me an alert that my email address had been found on a website with a password. They only told me the first two letters, which to my relief did not match my email account password. I was left worried what site I had used a password on with those 2 start letters.

    At least now I can be fairly certain that it was an insignificant free webhosting service. For that I am most grateful to HungryHouse.

    While I do not reuse passwords (and the comms caused me short term stress), I do appreciate these actions & clearly as some intelligent posts have said, where the donor site also hosted email services, deleting my card details (which i can confirm HH have done) was the correct thing to do & very much appreciated. Resetting my password was very straight forward.

    Thank you Scott & as I said in my tweets of apology, I authorise you to use any of my comments in any way that you wish.

    Does anyone know how I can recommend HH for an award/good news story?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like