Over half a million shoppers have had their personal data put at risk after a security breach at an IT supplier to several e-commerce sites.
An undisclosed security issue at service provider Fashion Nexus allowed a white hat hacker to access a server containing a database of clients’ customer details.
Although the initial figure arrived at by security researcher Graham Cluley was 1.4 million affected customers, Fashion Nexus claimed far fewer were impacted.
“There are 922k unique email addresses which of these, around 280k were captured by audit processes in brute force login attempts from external unrelated already-breached email lists,” it claimed in a statement.
“This leaves limits the exposure of our clients' data to 642k customer records. The age of the data stores involved (as they were for test purposes) means that most of these customer records are between two and nine years old.”
The exposed data includes email addresses, encrypted passwords, names, telephone numbers and addresses for some but not all. The firm was at pains to point out that no financial data was compromised.
However, hackers can still do a lot with non-financial data, explained NuData Security VP, Ryan Wilk.
“The personally identifiable information accessed can easily fuel synthetic identity fraud and identity theft. With these types of fraud, PII such as name, address, or date of birth is traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft,” he argued.
“NuData has seen a 100% increase in purchase attempts with flagged — suspicious — credit cards, which are often used under a fake account that has been created with stolen information.”
Fashion Nexus recommended that customers of AX Paris, Granted London, Jaded London, ElleBelle attire and Traffic People change their account passwords.
“Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server. The breach was quickly identified and the vulnerability removed. The ICO has been informed,” it added.
As pointed out by Cluley, in another security gaffe, the company does not have an HTTPS-enabled site, potentially exposing it to further compromise in the future.
The incident calls to mind a far more serious discovery last month. Threat group Magecart is said to have compromised as many as 800 e-commerce sites around the globe by injecting malicious code into the software supply chain.