[BreachExchange] 1.4 million online fashion shoppers exposed after data breach at UK ecommerce provider

Inga Goddijn inga at riskbasedsecurity.com
Mon Jul 30 10:28:46 EDT 2018


https://www.grahamcluley.com/online-fashion-shoppers-exposed-ecommerce-breach/

Customers of a number of UK clothing and accessories websites have had
their personal information exposed following a security breach at an IT
services provider that they were sharing.

Brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags,
DLSB (Dirty Little Style Bitch), and Traffic People entrusted web
development and ecommerce company Fashion Nexus to help them build an
online store.

Unfortunately, something went wrong (Fashion Nexus, and its sister company
White Room Solutions, refuses to say what) and a white hat hacker was able
to access a server containing a shared database containing personal details
of the online clothing stores’ customers.

In all, the exposed information contains personal information of
approximately 1.4 million users, including MD5-hashed passwords, password,
salts, names, email addresses, phone numbers, and other data. There is no
indication that payment card information was put at risk.

You won’t know any of this from visiting the Fashion Nexus or White Room
Solutions websites, as they are refusing to issue any public statement.

When I asked White Room if they would be issuing a statement, their
response was pretty emphatic.

(By the way, in an unconnected boo-boo, the White Room Solutions and
Fashion Nexus websites don’t support HTTPS - which doesn’t exactly instil
confidence that they’re top of their game when it comes to advising on
ecommerce.)

However, White Room Solutions does tell me that it has informed the
affected brands, and that it is leaving it up to the affected brands to
contact their exposed customers about their data being breached, as well as
inform the Information Commissioner’s Office (ICO).

White Room Solutions were also prepared to confirm to me privately that
they had resolved the security issue:

“The breach was via a site that has subsequently been taken down and is
considered resolved.”

I can find no mention of the data breach on the websites of the brands
involved, so new customers will not know that there have been security
problems in the past.

If any customers of the affected online stores happen to read this I would
be fascinated to hear if you have received a notification from the websites
concerned, warning you that your personal data was put at risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180730/810311ac/attachment.html>


More information about the BreachExchange mailing list