Second-hand electronics dealer CeX is warning that it has suffered a data breach that has exposed the personal information of up to two million customers.
The bad news was announced in the form of an email sent to registered users of CeX’s webuy.com website.
Customers are being advised to change their webuy.com password, and should ensure that they are not using the same password anywhere else on the internet.
So far, so normal. What I find unusual, however, is that it appears CeX is dodging the question as to why it has not itself reset customer passwords as a precaution, rather than asking users to log in and do it themselves.
Whilst we are liaising with the authorities we cannot provide any detail at present. We will provide updates via https://t.co/tHyRDNX2r3
— CeX (@Cex) August 30, 2017
Also, although in an advisory posted on its website CeX says that personal information such as first name, surname, addresses, email address and phone numbers have been exposed (alongside “encrypted data from expired credit and debit cards up to 2009”), no information has been shared regarding when it discovered that a breach had occurred or for how long hackers may have been able to access the sensitive information.
To be fair, it seems some of CeX’s customers don’t seem that bothered about the breach.
Should CeX customers be bothered? I think so. Personal information like that which has been exposed by this security breach could be exploited by criminals. For instance, it’s easy to imagine how a scammer could target customers by sending them an email pretending to come from CeX, or even ring them up at home in an attempt to extract more information.
We place our trust in online organisations to take proper care of our personal information, and our privacy and security is chipped away every time there is an incident like this.
Regarding passwords, CeX hasn’t been entirely transparent about how they were being stored. In its advisory it says that although the passwords were not stored in plain text, if it is “not particularly complex” then it is possible that they could be cracked in time.
You may not care that much about your CeX account being broken into by a hacker who has cracked your password, but you almost certainly will be upset if they manage to use the same password to break into some of your other online accounts.
For that reason, it makes sense to choose a strong, hard-to-crack, unique password for all of your accounts.
The best approach, in my opinion, is to use a good password manager to remember and securely store all of these complex, impossible-to-remember passwords for you, as we discussed in a past episode of the “Smashing Security” podcast.
Smashing Security: 'Passwords – a Smashing Security splinter'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Password management software like Bitwarden, 1Password, and KeePass is a must.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “CeX data breach impacts two million UK accounts, customers told to change passwords ASAP”
The problem with password managers is the fact that you have to trust a 3rd party with securing your details. As has been demonstrated in the past, some password managers have been cracked and data leaked to the dark net. Also, some password managers charge a monthly fee. Personally, I'd like to use one, but I am dissuaded by the past breaches and possible fees. Other problems :-
1) Techniques used to stuff passwords into forms and entry fields vary, with some working on certain pages and some not.
2) Support for the password manager across all platforms (Android, Windows, MacOS, iOS, BeOS, …) – usually, there is a platform you may use but it is not supported by the free password managers. Ones that do support cross-platform are chargeable.
These are the "real world" problems to the uptake of password managers. Advice on which to use for free would be nice, if you're going to tell people to use them. Perhaps an article on the current state of password managers would help. It's a minefield out there currently!