CeX data breach impacts two million UK accounts, customers told to change passwords ASAP

Data breach exposes information of registered website customers.

CeX data breach impacts two million UK accounts

Second-hand electronics dealer CeX is warning that it has suffered a data breach that has exposed the personal information of up to two million customers.

The bad news was announced in the form of an email sent to registered users of CeX's webuy.com website.

Cex email

Customers are being advised to change their webuy.com password, and should ensure that they are not using the same password anywhere else on the internet.

So far, so normal. What I find unusual, however, is that it appears CeX is dodging the question as to why it has not itself reset customer passwords as a precaution, rather than asking users to log in and do it themselves.

Also, although in an advisory posted on its website CeX says that personal information such as first name, surname, addresses, email address and phone numbers have been exposed (alongside "encrypted data from expired credit and debit cards up to 2009"), no information has been shared regarding when it discovered that a breach had occurred or for how long hackers may have been able to access the sensitive information.

To be fair, it seems some of CeX's customers don't seem that bothered about the breach.

Should CeX customers be bothered? I think so. Personal information like that which has been exposed by this security breach could be exploited by criminals. For instance, it's easy to imagine how a scammer could target customers by sending them an email pretending to come from CeX, or even ring them up at home in an attempt to extract more information.

We place our trust in online organisations to take proper care of our personal information, and our privacy and security is chipped away every time there is an incident like this.

Regarding passwords, CeX hasn't been entirely transparent about how they were being stored. In its advisory it says that although the passwords were not stored in plain text, if it is "not particularly complex" then it is possible that they could be cracked in time.

You may not care that much about your CeX account being broken into by a hacker who has cracked your password, but you almost certainly will be upset if they manage to use the same password to break into some of your other online accounts.

For that reason, it makes sense to choose a strong, hard-to-crack, unique password for all of your accounts.

The best approach, in my opinion, is to use a good password manager to remember and securely store all of these complex, impossible-to-remember passwords for you, as we discussed in a past episode of the "Smashing Security" podcast.

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Password management software like Bitwarden, 1Password, and KeePass is a must.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

One Response

  1. Mark Jacobs

    August 31, 2017 at 11:54 am #

    The problem with password managers is the fact that you have to trust a 3rd party with securing your details. As has been demonstrated in the past, some password managers have been cracked and data leaked to the dark net. Also, some password managers charge a monthly fee. Personally, I'd like to use one, but I am dissuaded by the past breaches and possible fees. Other problems :-
    1) Techniques used to stuff passwords into forms and entry fields vary, with some working on certain pages and some not.
    2) Support for the password manager across all platforms (Android, Windows, MacOS, iOS, BeOS, …) – usually, there is a platform you may use but it is not supported by the free password managers. Ones that do support cross-platform are chargeable.

    These are the "real world" problems to the uptake of password managers. Advice on which to use for free would be nice, if you're going to tell people to use them. Perhaps an article on the current state of password managers would help. It's a minefield out there currently!

Leave a Reply