"A limited number"
Every time a journalist sees this in a press release they should automatically follow up with "and of course, by limited number they might well mean limited to EVERYONE".
Clothes website SportPursuit was hit by hackers over the Easter weekend, potentially losing customers' bank card details. SportPursuit admitted on Sunday that it had "uncovered evidence" of "an attempted data hack" which "may have affected" what it claims were "a limited number" of its customers. The company's statements to …
They say that they're using salted hashes so I'd expect a reasonably sensible password strategy based on a slow hash function.
They also say that the hole was introduced during an upgrade, so that suggests that the original design was OK and someone has introduced a cock-up (like leaving the debug logging on).
Thank you for your mail.
It is possible that the data which may have been accessed includes debit or credit card details. It is for this reason we have emailed all potentially affected members to ask them to remain vigilant and report unusual activity to their bank or credit card provider. Importantly, it is not possible that the CVV (Card Verification Value) of the cards in question was accessed from our systems.
Amazeballs.
And accidently start storing card details in encrypted form?
Sounds like some cut and paste web development to accidently achieve that and then not notice it in any QA of the site.
Whats the betting the encryption key was stored with the data for ease of access?
By most standards SportPursuit have handled this well. They coughed up pretty much as soon as they knew and they've been honest with the details.
Compare with other retailers who've been hacked - eBay, Warehouse Express, 7dayshop - all of whom deny anything wrong and refuse to answer questions. Or others, where the extent of the leak dribbles out over time.
I'm a SportPursuit customer.
I received the email, but looking at other forums not all customers have. What concerns me is that I last used my credit card on SportPursuit 12 months ago - assuming they're not just mailing anyone who ever used a credit card and the recipients are just those customers whose credit card data was inadvertently stored, that means they've been storing card data for 12 months or more.
Makes you wonder how 'inadvertent' it really was...