back to article Two million customer records pillaged in IT souk CeX hack attack

Second-hand electronics dealership CeX says two million customers may have had their personal information swiped by hackers. Several Reg readers dropped us a line after receiving an email from the Brit biz that informed them their personal details including first name, surname, address, email address and phone number had been …

  1. vir

    "Not Particularly Complex"

    A file called "not_passwords.txt".

  2. DNTP

    Hashed... but not complex

    Them damn data bandits done stolen auntie's 'English style potatoes' recipe. The bastards.

  3. This post has been deleted by a moderator

  4. Snorlax
    Facepalm

    Stupid Is As Stupid Does

    "The data loss came as part of an "online security breach" – its in-store terminals weren't affected. That'll be a relief to those using the stores, since credit card-slurping point-of-sale malware is becoming increasingly common, particularly in the US."

    US consumers have resisted chip-and-pin because they think it's slower than swiping. Also, merchants with chip-and-pin compatible terminals will often tell people to swipe rather than insert the card.

    Morons.

    1. vir

      Re: Stupid Is As Stupid Does

      If you try to swipe on a chip terminal, it will brusquely tell you to use the chip.

      1. Snorlax

        Re: Stupid Is As Stupid Does

        @vir:"If you try to swipe on a chip terminal, it will brusquely tell you to use the chip."

        Some payment processors have updated the software on their terminals to do this. Not all do.

    2. Aodhhan Bronze badge

      Re: Stupid Is As Stupid Does

      Yet your country has far more breaches per capita. Likely due to the lower educational standards of the public system.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stupid Is As Stupid Does

        Or maybe the crackers are better thanks to our public system?

      2. vir

        Re: Stupid Is As Stupid Does

        I resemble that statement.

      3. Snorlax

        Re: Stupid Is As Stupid Does

        @Aodhhan:"Yet your country has far more breaches per capita."

        Got any proof to back up your claim?

  5. colin79666

    Particularly complex

    If you read their email properly it isn't their system but your password:

    "Why do I need to change my passwords?

    Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password"

    Just standard advice really although it may imply they were hashed but not salted, at least not a per user salt. It is easy for people to scoff but remember many of these accounts could be years old and md5 was once considered good enough. Yes CEX have got wrong but at least they have fessed up.

    1. werdsmith Silver badge

      Re: Particularly complex

      It's about time we had a ratings scheme like the Food Hygiene Standards star scheme, that they have to display their rating in their shops and websites. Then we can decide if we want to deal with them.

      Keeping old data and MD5 only would get them a one out of a possible five star rating and nobody would touch them.

  6. petef

    Onliner Spambot

    Pah, only 2 million? Onliner Spambot has (some) details of over 700 million accounts.

    https://www.troyhunt.com/inside-the-massive-711-million-record-onliner-spambot-dump

    1. Chris King Silver badge

      Re: Onliner Spambot

      I had 213 addresses reported for my personal domain.

      Over 200 of them were randomly-generated, "guessed" stuff like admin@, billing@, sales@ (none of which existed), some German ones (direktor@, sekretariat@) and a bunch of usenet post-IDs. Less than 10 were recognisable and most of these were associated with previous vendor leaks.

      711 million addresses maybe, but nowhere near that number will be real or valid. Remember, this is something the spammers were using to send mail, so they didn't care about validity.

  7. Martin Summers Silver badge

    Several Reg readers dropped you a line including me literally just because I didn't think to check the site first. Typical. I'll never get a gold badge ;-)

  8. Anonymous Coward
    Anonymous Coward

    I used to spend my weekends going round all the CEX shops in my area looking for anything on special offer. Won't be doing that any more.

    1. frank ly Silver badge

      You could try paying with cash.

    2. Anonymous Coward
      Anonymous Coward

      "its in-store terminals weren't affected"

      Do people read the articles?

  9. John Brown (no body) Silver badge

    Some credit and debit card data was also slurped

    "Some credit and debit card data was also slurped, but CeX says that's not a problem because the store stopped taking that data in 2009,"

    Why were they keeping credit card data? And more importantly, why have they STILL got that data from 7 or more years ago, especially since they now don't collect/keep that same data?

    1. Hans 1 Silver badge

      Re: Some credit and debit card data was also slurped

      Why were they keeping credit card data? And more importantly, why have they STILL got that data from 7 or more years ago, especially since they now don't collect/keep that same data?

      Valid questions. They fessed up, though, admitted fault, AND hired a cybersecurity expert ... what more do you want ? To others not yet raided, John Brown is right, check your data retention processes, now!

      If you can, use per user salted hashed passwords, if you cannot, listen, you need to!

      Never retain credit card data, except where there is no other way, salt/hash the card data. (Some stores allow you to pay in 3 installments per credit card, I assume they would need to keep the data).

      Oh, anything accessible from the interTubes must have up-to-date software!

      1. Doctor Syntax Silver badge

        Re: Some credit and debit card data was also slurped

        "They fessed up, though, admitted fault, AND hired a cybersecurity expert ... what more do you want ?"

        To do things in the right order. Hire the cybersecurity expert first, then they might not need to do the rest.

    2. pop_corn

      Re: Some credit and debit card data was also slurped

      My thoughts exactly. The 5th principle of the Data Protection Act is the one I believe is the most widely breached, as has clearly been the case here:

      > Fifth principle - Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  10. Banksy

    Will the hackers now know about all the tat I sold to CeX?

    1. Anonymous Coward
      Joke

      Hope not, the Police may find out.

  11. Adam 52 Silver badge

    "and so all of the cards have likely expired"

    This but doesn't help much. It's fairly easy to retry the same card adding two or three to the expiry year.

    If that fails then the credit card companies offer services to update expired cards - card refresher from Amex, Account Updater from Visa and Billing Updater from MasterCard - and some merchants will helpfully call those for you.

    1. James O'Shea Silver badge

      The ‘security code’ 3 or 4 digit numbers will have changed. Some sites want ‘em, some don’t.

      1. defiler Silver badge

        CVV code

        I thought it was illegal / a breach of regs to retain the CVV. That's why every time my wife wants to use JustEat, it's a hunt for the card...

        1. James O'Shea Silver badge

          Re: CVV code

          If the site retained the CVV, it won't match. If they didn't, but do ask for it, then whoever has the stolen CCN can't use it at that site. If, on the other hand, they never ask for a CVV, then there can and will be shenanigans.

  12. pisquee

    We got the CEX emai, and not much later got an email from another website we'd used the same email/password combo saying they'd picked up that those had been published and so had locked our account til we changed passwords. So either a coincidence or the hack has been published.

  13. Anonymous Coward
    Anonymous Coward

    Congrats, I've arrived at work, checked emails and calls...

    ..then visited el reg and all my targets have been met.

    We take the protection of customer data extremely seriously - Check

    and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. - Check

    "Clearly however, additional measures were required to prevent such a sophisticated breach occurring, " -Check

    and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again." - Check.

    In summary: We pay for we we can get away with, now paying more, horse stable bolts and doors. Change passwords. You'll be dumb enough to keep trading with us, so no big loss anyway.

    I'm going to patent a online for template for these companies. Should make a fortune.

  14. se99paj

    Is anything safe anymore?

    Is anything safe anymore? I guess the answer is "No".

    What is safe today will be hackable tomorrow - I realise that companies need to invest in their security, but if their margins are getting smaller they will struggle and hackers will eventually catch up with them.

    1. Oh Homer
      Terminator

      Re: "What is safe today will be hackable tomorrow"

      But that is in fact the definition of "secure", to anyone who really understands security.

      Anything that can be made can be broken, and will be broken, eventually. That includes everything from encryption to parking meters.

      The real objective of security is to delay breaches long enough to mitigate them by other means (e.g. escape or obsolescence), not to prevent those breaches forever, because that is impossible.

      That is the only sensible approach to security. Don't start by assuming it's infallible, but know absolutely that it will fail, then race to the next security measure before it does.

    2. Banksy
      Coat

      Re: Is anything safe anymore?

      You're saying they should have practiced safe Cex?

  15. Anonymous Coward
    Anonymous Coward

    oh, and some of this data was unlawfully obtained ...

    a few years ago, I bought a £4 memory module in CeX for *cash*.

    It was misdescribed (as the receipt showed) so a refund was in order.

    CeX insisted on a proof of ID before refunding - even though they had no standing to.

    I was left in a catch-22 situation that I *could* have taken them to court for the refund. But not without revealing my identity.

    Sometimes, having rights is meaningless - something we should all bear in mind.

    1. Ken Moorhouse Silver badge

      Re: CeX insisted on a proof of ID before refunding

      I can understand the reason behind this.

      The simplest being that a substitute product had been given back, or that the customer had broken it prior to its return. They might not interfere with honouring a refund this time round, benefit of the doubt, plus statutory rights, but if that kind of trick is played often enough then be prepared to be put onto a refund blacklist. I can't see a court agreeing with a plaintiff who regularly returns goods having broken them when a refund is refused despite statutory rights.

      Then there are product switching scams that staff might collude in that result in inferior products being put on sale - er, which more or less could have been what happened to you. For this they would either have to use their own address on the paperwork, or make one up.

      All of which points to being receptive to their administrative processes.

      1. Anonymous Coward
        Anonymous Coward

        re: All of which points to being receptive to their administrative processes

        er, CeXs administrative problems do not trump the law, which states that a CASH refund under the CRA cannot be attached to conditions. The problem is the court case to enforce that would cost more that £4, and run the risk of the judge not awarding the court costs.

        1. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    CeX admins...

    Are the guys responsible for the poor security now CeX offenders?

  17. Jason Bloomberg Silver badge
    Pirate

    Karma

    CeX are always trying to get my name, address, and email details out of me. I had a row in one of their stores just two weeks ago over their persistence and time wasting when simply wanting to pay for a 50p DVD with cash.

    I did later reflect on whether I had perhaps over-reacted, been a little unfair or strident in my criticisms that I don't trust companies to keep data I provide safe. It seems not.

    1. jonathan1

      Re: Karma

      You were lucky and right.

      To my shame - I had completely forgotten I had used them many moons ago and at the time they wanted to pay the money for my stuff direct into my bank account. Which I foolishly gave them. I recieved the email this morning.

      Had no idea I even had an online account with them (which I have never used). I reset my password so I could log in and rather frightening event though my address information isn't there my bank details are! I don't remember giving them permission to put that information online...

      Bollocks is all I can say.

  18. Eponymous Cowherd
    Coat

    Unprotected Cex

    Yeah, I know.

    Getting my coat.

  19. adam payne Silver badge

    "We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement."

    Same old stock announcement then.

  20. Potemkine! Silver badge

    When a store asks for my mail or phone...

    ... I say no (no, no). Why should I give information it will be unable to keep safe?

    1. Eponymous Cowherd

      Re: When a store asks for my mail or phone...

      Generally, I just lie.

      Quicker, avoids arguments, and has the added bonus of messing up their stats. If everyone did this they'd soon stop the practice.

      Similar thing with TV catch up services, who all now demand we create accounts and sing in.

      BBC, ITV, Channel 4, Channel 5. All signed up with fake email addresses and fake postcodes.

      1. James O'Shea Silver badge

        Re: When a store asks for my mail or phone...

        Meh. I usually use:

        935 Pennsylvania Ave. NW

        Washington, DC 20535

        Ask for Chris

    2. Anonymous Coward
      Anonymous Coward

      Re: When a store asks for my mail or phone...

      Use this

      Wycliffe House

      Water Lane

      Wilmslow

      Cheshire

      SK9 5AF

      1. Terry 6 Silver badge
        Devil

        Re: When a store asks for my mail or phone...

        I now walk away from sites that require me to confirm the email address I've given to them- unless they have a really good reason to have my ID. Sometimes even when I wasn't even planning to use a fake email address.

  21. hatti

    cut n paste

    "We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement.

    I'm sure I read this statement once before coming from a certain D. Harding. 'Tis the standard, "it wasn't us gov" cut 'n' paste data protection blurb.

  22. ukgnome Silver badge

    so is this an online cex scandal?

  23. Anonymous Coward
    Anonymous Coward

    whilst data leaks are not punished---

    ----then of course action is only taken too late to matter.

    Until there is adequate punishment for data mismanagement then handing your real data is an expense to everyone in your country.

    At the minimum the directors of any company having a data leak should be held responsible for any losses the effected customer suffer, with the onus on the company to prove that the lose was not their fault.

    I would say that the directors of a company leaking data at this point are negligent, there are plenty of companies that are available to lock data down and there has been plenty of press attention for the historical data leaks.

    When laws change people are still held responsible even if they were unaware of the changes because were published on TV and in newspaper, if people why not companies?

  24. Fihart

    Colourful history....

    Quite a 'colourful' company, originally the Music and Video Exchange, with main branch in Notting Hill Gate. I seem to remember reading their terms of business at that time when buying a used CD -- these implied that part of the price was to purchase a warranty and that portion was not refundable if the product had to be returned. I thought at the time that this would have raised some eyebrows if a customer took it to small claims. I may be mistaken, but I recall that the original firm was registered in the Channel Islands, which would have matched the freebooting style of the now deceased founder.

  25. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019