Second-hand electronics dealer CeX is warning that it has suffered a data breach that has exposed the personal information of up to two million customers.
The bad news was announced in the form of an email sent to registered users of CeX’s webuy.com website.
Customers are being advised to change their webuy.com password, and should ensure that they are not using the same password anywhere else on the internet.
So far, so normal. What I find unusual, however, is that it appears CeX is dodging the question as to why it has not itself reset customer passwords as a precaution, rather than asking users to log in and do it themselves.
Whilst we are liaising with the authorities we cannot provide any detail at present. We will provide updates via https://t.co/tHyRDNX2r3
— CeX (@Cex) August 30, 2017
Also, although in an advisory posted on its website CeX says that personal information such as first name, surname, addresses, email address and phone numbers have been exposed (alongside “encrypted data from expired credit and debit cards up to 2009”), no information has been shared regarding when it discovered that a breach had occurred or for how long hackers may have been able to access the sensitive information.
To be fair, it seems some of CeX’s customers don’t seem that bothered about the breach.
cex security breach doesnt bother me
their website barely lets me in when i use the correct password, let alone someone else
— Wanyal (@Wanyal) August 29, 2017
Should CeX customers be bothered? I think so. Personal information like that which has been exposed by this security breach could be exploited by criminals. For instance, it’s easy to imagine how a scammer could target customers by sending them an email pretending to come from CeX, or even ring them up at home in an attempt to extract more information.
We place our trust in online organisations to take proper care of our personal information, and our privacy and security is chipped away every time there is an incident like this.
Regarding passwords, CeX hasn’t been entirely transparent about how they were being stored. In its advisory it says that although the passwords were not stored in plain text, if it is “not particularly complex” then it is possible that they could be cracked in time.
You may not care that much about your CeX account being broken into by a hacker who has cracked your password, but you almost certainly will be upset if they manage to use the same password to break into some of your other online accounts.
For that reason, it makes sense to choose a strong, hard-to-crack, unique password for all of your accounts.
The best approach, in my opinion, is to use a good password manager to remember and securely store all of these complex, impossible-to-remember passwords for you, as we discussed in a past episode of the “Smashing Security” podcast.