[BreachExchange] Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug

Destry Winant destry at riskbasedsecurity.com
Tue Aug 21 23:24:04 EDT 2018


https://www.theregister.co.uk/2018/08/21/superdrug_hackers_claims/

Hackers claim to have grabbed the personal details of almost 20,000
bods who shopped online at Superdrug, the British cosmetics retailer
has confirmed. Payment card details are not said to be among the haul.

The biz has emailed customers, El Reg can confirm, advising them of
the “possible disclosure of your personal data, but not including your
payment card information.”

“On the evening of the 20th of August, we were contacted by hackers
who claimed they had obtained a number of our customers’ online
shopping information,” the note from boss Peter Macnab stated.

“There is no evidence that Superdrug’s systems have been compromised.
We believe the hacker obtained customers’ email addresses and
passwords from other websites and then used those credentials to
access accounts on our website."

The cyber villains alleged they had “obtained information on
approximately 20,000 customers but we have only seen 386,” the chain
added, leading us to believe this is a classic credential-stuffing
stunt by the crooks. That's when scumbags take passwords and usernames
leaked from one website and use them to log into accounts on other
sites, exploiting the fact people reuse their passphrases across
various online services and profiles.

Customers’ names, postal addresses and “in some instances” date of
birth, phone number and points balances “may have been accessed”, the
email stated. The retailer advised customers to update their
Superdrug.com password “now and on an on-going, frequent basis.”

Superdrug has contacted the cops and Action Fraud about the incident,
and “will be offering them all the information they need for their
investigation.” It is believed the miscreants contacted the retailer
in hope of extorting money from the business in exchange for their
silence.

A spokesperson for Superdrug was not available for immediate comment. ®


More information about the BreachExchange mailing list