CeX data breach impacts two million UK accounts, customers told to change passwords ASAP

Graham Cluley

Cex thumb

CeX data breach impacts two million UK accounts

Second-hand electronics dealer CeX is warning that it has suffered a data breach that has exposed the personal information of up to two million customers.

The bad news was announced in the form of an email sent to registered users of CeX’s webuy.com website.

Cex email

Customers are being advised to change their webuy.com password, and should ensure that they are not using the same password anywhere else on the internet.

So far, so normal. What I find unusual, however, is that it appears CeX is dodging the question as to why it has not itself reset customer passwords as a precaution, rather than asking users to log in and do it themselves.

Also, although in an advisory posted on its website CeX says that personal information such as first name, surname, addresses, email address and phone numbers have been exposed (alongside “encrypted data from expired credit and debit cards up to 2009”), no information has been shared regarding when it discovered that a breach had occurred or for how long hackers may have been able to access the sensitive information.

To be fair, it seems some of CeX’s customers don’t seem that bothered about the breach.

Should CeX customers be bothered? I think so. Personal information like that which has been exposed by this security breach could be exploited by criminals. For instance, it’s easy to imagine how a scammer could target customers by sending them an email pretending to come from CeX, or even ring them up at home in an attempt to extract more information.

We place our trust in online organisations to take proper care of our personal information, and our privacy and security is chipped away every time there is an incident like this.

Regarding passwords, CeX hasn’t been entirely transparent about how they were being stored. In its advisory it says that although the passwords were not stored in plain text, if it is “not particularly complex” then it is possible that they could be cracked in time.

You may not care that much about your CeX account being broken into by a hacker who has cracked your password, but you almost certainly will be upset if they manage to use the same password to break into some of your other online accounts.

For that reason, it makes sense to choose a strong, hard-to-crack, unique password for all of your accounts.

The best approach, in my opinion, is to use a good password manager to remember and securely store all of these complex, impossible-to-remember passwords for you, as we discussed in a past episode of the “Smashing Security” podcast.

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...


Password management software like Bitwarden, 1Password, and KeePass is a must.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “CeX data breach impacts two million UK accounts, customers told to change passwords ASAP”

  1. The problem with password managers is the fact that you have to trust a 3rd party with securing your details. As has been demonstrated in the past, some password managers have been cracked and data leaked to the dark net. Also, some password managers charge a monthly fee. Personally, I'd like to use one, but I am dissuaded by the past breaches and possible fees. Other problems :-
    1) Techniques used to stuff passwords into forms and entry fields vary, with some working on certain pages and some not.
    2) Support for the password manager across all platforms (Android, Windows, MacOS, iOS, BeOS, …) – usually, there is a platform you may use but it is not supported by the free password managers. Ones that do support cross-platform are chargeable.

    These are the "real world" problems to the uptake of password managers. Advice on which to use for free would be nice, if you're going to tell people to use them. Perhaps an article on the current state of password managers would help. It's a minefield out there currently!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES