Retailer Leaked Hundreds of Internal Passwords on Pastebin

Krebs on Security

Orvis , a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. and founded in 1856, privately-held Orvis is the oldest mail-order retailer in the United States.

Retail giant Home Depot agrees to a $17.5 million settlement over 2014 data breach

Security Affairs

Retail giant Home Depot has agreed to a $17.5 The US largest home improvement retailer giant Home Depot agrees to $17.5 According to the US retailer the payment card information of approximately 40 million Home Depot consumers nationwide.


Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Sports retail giant Decathlon leaks 123 million customer and employee records

IT Governance

Decathlon, the world’s largest sporting goods retailer, has suffered a massive data breach, affecting 123 million customer and employee records. It contained information from the retailer’s Spanish businesses and potentially its UK stores.

Retail 102

How data breaches are affecting the retail industry

IT Governance

Only time will tell – and we may not have to wait long – but in the meantime, what is the impact of data breaches in the retail industry, and what needs to be done to mitigate them? The data included contact information, usernames and encrypted passwords. World-famous retailer Fortnum & Mason suffered a data breach , affecting 23,000 of its customers, through a Typeform service used to collect votes for one of the categories in its food and drink awards. Data breaches.

Time to Change Your Password!

The Texas Record

Isn’t it fun to use different passwords for all of the dozens of accounts you use and just when you think you’ve got them memorized you’re forced to change them every few months? The standards on password usage are changing. Before I tell you about the new standards, let’s look at some of the best practices we’ve come to know for password usage in most systems. No more security questions or hints to recover the password.

CNIL Adopts Its First Sanction as Lead Supervisory Authority, Fining French Online Shoe Retailer

Hunton Privacy

On August 5, 2020, the French Data Protection Authority (the “CNIL”) announced that it has levied a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (“GDPR”).

Crooks claim to have stolen 20k customer records from Superdrug cosmetics retailer

Security Affairs

Hackers claim to have stolen the personal details of almost 20,000 Superdrug customers who shopped online at the cosmetics retailer. The British Superdrug is the last victim of a security breach, hackers claim to have stolen the personal details of almost 20,000 people who shopped online at the cosmetics retailer. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website.”

Weekly podcast: Password managers, unpatched vulnerabilities, formjacking and Wendy’s

IT Governance

Researchers at ISE have identified security flaws affecting four popular password managers on the Windows 10 platform, which could allow malware to access the master password and/or the individual passwords stored in them, even when the password managers are locked. The researchers explain that: “All password managers [they] examined sufficiently secured user secrets while in a ‘not running’ state. This is not to say you should abandon your password manager.

Episode 199 COVID’s Other Legacy: Data Theft and Enterprise Insecurity

The Security Ledger

In this episode of the podcast (#199), sponsored by LastPass , we’re joined by Barry McMahon, a Senior Global Product Marketing Manager at LogMeIn, to talk about data from that company that weighs the security impact of poor password policies and what a “passwordless” future might look like.

Weekly podcast: ICANN, DNS and DNSSEC; credential stuffing; passwords managers; and EDPS report

IT Governance

This week, we discuss ICANN’s warning about DNS attacks, the extent of credential stuffing attacks on the retail sector, password managers’ responses to recent research into security flaws, and the European Data Protection Supervisor’s annual report for 2018. We often talk about the perils of password reuse. As long as passwords are recycled, credential stuffing and [account takeovers] will continue to be a steady criminal enterprise.”.

Point-of-Sale (POS) Security Measures for 2021

eSecurity Planet

It’s a tough time to be a retailer. Using POS devices for other tasks: Carson said retailers too often allow users to leverage POS systems for common tasks like checking email or surfing the Web.

Sales 52

Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018

Dark Reading

Using e-mail addresses and passwords from compromised sites, attackers most often targeted retail sites, video-streaming services, and entertainment companies, according to Akamai

UK ICO Issues Unprecedented Fine Against Mobile Phone Retailer for Lax Security

Hunton Privacy

On January 8, 2017, the UK Information Commissioner (“ICO”) issued an unprecedented monetary penalty of £400,000 against British mobile phone retailer, The Car Phone Warehouse Limited. Following an attack on their system in 2015, the ICO found that the company had failed to take adequate steps to protect the personal data it held on its system.

Lessons from the Eurostar hack

IT Governance

Once Eurostar realised it had suffered a data breach, it: Identified the timing and the scale of the breach; Blocked access; Emailed customers alerting them to the situation and advising them to reset passwords; and. A Eurostar spokesperson said : [W]e identified what we believe to be an unauthorised automated attempt to access customer accounts, so as a precaution, we asked all account holders to reset their password.

Hacked Off: Lawsuit Alleges CafePress Used Poor Security

Data Breach Today

23 Million Victims Across US, UK, EU and Australia Receive Breach Notifications Personalized product retailer CafePress has been hit with a lawsuit alleging that it failed to notify 23 million customers about a data breach in a timely manner or follow security best practices. The company was allegedly still using outdated SHA-1 to hash passwords, which can be easily cracked

Retail 142

JavaScript keylogger sees Vision Direct’s customer data stolen

IT Governance

Passwords. Breaches and Hacks Cyber Security RetailContact lens supplier Vision Direct has released information about a data breach it suffered earlier this month. Between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November, the personal and financial details of some of our customers ordering or updating their information on was compromised,” said a statement on its website.

Superdrug’s customers affected in data breach

IT Governance

Password advice. Superdrug’s email suggests that customers log in and change their password now “and on an on-going, frequent basis”. I don’t know about you, but I have around 90 online accounts – if I get into the habit of changing my passwords every 6 months, I’ll very quickly run out of ideas, which will either make me use weak passwords or use the same password across multiple accounts. Superdrug should be encouraging customers to use a password manager.

Adidas data breach

IT Governance

In its statement , Adidas said: “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. If you would like more information on how to do this, request a call with one of our retail experts. Cyber Security EU GDPR RetailOn 28 June 2018, athletic apparel company Adidas announced that its US website had suffered a data breach , exposing online customers’ personal data. The breach was detected on 26 June.

Fortnum & Mason customers’ personal data exposed in breach

IT Governance

Unfortunately, world-famous retailer Fortnum & Mason was recently let down by a weak link – survey company Typeform – that exposed the personal data of 23,000 of its customers. Fortnum & Mason confirmed that no bank details or passwords were involved, and that money and accounts are safe. These forms did not request bank or payment details, or require passwords.”. Data Protection EU GDPR Retail

Radisson Rewards programme breached

IT Governance

The hotel group has confirmed that no payment card information, passwords or travel history were accessed. It also advised members to be aware of phishing emails: You should also be aware that third parties may claim to be Radisson Rewards and attempt to gather personal information by deception (known as ‘phishing’) […] Radisson Rewards will not ask for your password or user information to be provided in an e-mail.

Major data leak at Cathay Pacific

IT Governance

No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised”. It has also issued guidance to help customers protect themselves, including a recommendation to change passwords and watch accounts for suspicious activity. Cyber Security Data Protection EU GDPR Retail Airport data breach data security GDPR TravelHong Kong-based airline Cathay Pacific has announced a major data breach affecting up to 9.4 million of its customers.

Pwned Passwords in Practice: Real World Examples of Blocking the Worst Passwords

Troy Hunt

Back in August, I pushed out a service as part of Have I Been Pwned (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches via both a downloadable file and an online service. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses. Seen a password in a data breach before?

Butlin’s Hacked – 34,000 customers affected

IT Governance

Your Butlin’s usernames and passwords are also secure.”. Cyber Security RetailButlin’s has suffered a data breach that has affected up to 34,000 of its customers. A spokesperson confirmed that the compromise had taken place over the past 72 hours and was caused by a phishing email. In a notice posted on its website , Butlin’s managing director, Dermot King, said: “We would like to assure all our guests that your payment details are secure and have not been compromised.

FIFA caught hook, line and sinker in phishing attack

IT Governance

While many of us can appreciate his perspective, the fact remains that there are effective tools and systems that organisations can employ to reduce the risks when sharing information, such as encryption, password controls and permissions settings. Cyber Security Retail Staff Awareness data breach football phishing phishing attack SportFootball world-governing body FIFA has admitted that its systems suffered a sustained phishing hack earlier this year.

Superdrug Rebuffs Super Ransom After Supposed Super Heist

Data Breach Today

Pharmacy Chain Quickly Notifies Victims, But Fumbles Password Prescription U.K. health and beauty retailer Superdrug Stores is warning customers that attackers may have compromised some of their personal information, apparently because they'd reused their credentials on other sites that were hacked.

Retail 100

How the PSD2 helps prevent payment card data breaches

IT Governance

For example, you might be asked to provide a password and answer a secret question. Strong authentication is a less rigorous form of two-factor authentication (also known as multi-factor authentication), as it doesn’t require users to provide information from different factor classes: A knowledge factor (something you know, such as a password). Retail PSD2

Don’t gift cyber attackers a free pass into your organisation this Christmas

IT Governance

Retailers are the most affected , but lax security over Christmas is a problem for all organisations. Here are some signs of a poorly configured device: Default account information : Attackers can easily break into your application if you’ve left your account name as ‘admin’ or ‘test’ and not changed the default password. Weak passwords. Rainbow tables : Most modern systems store passwords in a hash.

The North Face website suffered a credential stuffing attack

Security Affairs

Retail giant The North Face has reset the passwords for some of its customers in response to a successful credential stuffing attack. This kind of attack is very efficient due to the bad habit of users of reusing the same password over multiple services.

SHARED INTEL: IT pros gravitate to ‘passwordless’ authentication to improve security, boost agility

The Last Watchdog

Password abuse emerged as a criminal specialty shortly after the decision got made in the 1990s to jump start the commercial Internet using a security framework built on shared secrets. Fortifications, such as multi-factor authentication (MFA) and password managers, have come along over the past decade or so to keep password abuse in check. What a lot of people overlook is that MFA and password managers are still built on top of passwords,” Avetisov observes.

UScellular data breach: attackers ported customer phone numbers

Security Affairs

Then threat actors tricked UScellular employees working in retail stores into downloading and installing malicious software. A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded software onto a store computer.”

Digital Enterprises: Built on Modern MDM


If you missed this event, check out the video presentations here to get the latest buzz in the data management industry (Login: | Password: berightfaster). Business Compliance Customers IT Partners B Business B Data Science B Digital Transformation B Financial Services & Insurance B High-Tech & Manufacturing B IT B Life Sciences B Machine Learning B Patient & Member 360 B Retail & CPG DataDriven19Ankur Gupta, Sr. Product Marketing Manager, Reltio.

MDM 40

MY TAKE: How ‘credential stuffing’ and ‘account takeovers’ are leveraging Big Data, automation

The Last Watchdog

Thanks to botnets, if you’ve ever patronized any of the hacked enterprises, your personal data, including your favorite usernames and passwords , have probably been stolen several times over. billion stolen username and password pairs circulating in the darknet. Threat actors are always innovating fresh ways to monetize stolen usernames and passwords. The attacks targeted a range of sectors, from media and entertainment to retail and gaming.

50 Ways to Avoid Getting Scammed on Black Friday

Adam Levin

It’s worth noting that there’s no reason a legitimate retailer would need that last one — the skeleton key to your identity — to process a purchase.). Shop at reputable and recognizable retailers. Check urls for slight modifications to a popular retailer’s name.

21 Million stolen credentials from Fortune 500 companies available on the dark web

Security Affairs

“As many as 95% of the credentials contained unencrypted, or bruteforced and cracked by the attackers, plaintext passwords.” ” The following table shows stolen credentials per industry: Most of the login credentials (95%) include plaintext passwords, 76% of them were compromised during the last 12 months. million (4,957,093) credentials contained fully unique passwords, a circumstance that confirms the bad habit of many users to reuse passwords.

8 Ways to Protect Yourself against Scams on Black Friday and Cyber Monday

Adam Levin

Legitimate retailers are never going to make you dig for the deals, so they aren’t going to put the good stuff in an attachment. It’s not just attachments from retailers, but also from shipping companies or financial institutions. Change your passwords.

Cosmolog Kozmetik Data Breach: Hundreds of Thousands of Customers impacted

Security Affairs

The securWizCase experts found a major breach that affected the popular online retailer Cosmolog Kozmetik. l, has found a major breach in popular online retailer Cosmolog Kozmetik’s database.

Google: Security Keys Neutralized Employee Phishing

Krebs on Security

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. The basic model featured here retails for $20. The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app.

ROUNDTABLE: Targeting the supply-chain: SolarWinds, then Mimecast and now UScellular

The Last Watchdog

The intruders got in by tricking UScellular retail store employees into downloading malicious software on store computers. Having long passwords and a password manager can also add additional layers of security and protect you as a customer. It’s only February, and 2021 already is rapidly shaping up to be the year of supply-chain hacks. Related: The quickening of cyber warfare. The latest twist: mobile network operator UScellular on Jan.

Confessions of an ID Theft Kingpin, Part II

Krebs on Security

billion in new account fraud at banks and retailers throughout the United States, and roughly $64 million in tax refund fraud with the states and the IRS. Yesterday’s piece told the tale of Hieu Minh Ngo , a hacker the U.S.

Retail 242

SHEIN Data breach affected 6.42 million users

Security Affairs

Another fashion retailer suffered a data breach, the victim is SHEIN that announces the security breach affected 6.42 The retailer hired a forensic cybersecurity firm as well as an international law firm to investigate the security breach. SHEIN is now notifying affected users and it is urging them to change the password for their account. million customers.