UK shoe retailer Office has sent its customers an email today, explaining that it has suffered a serious security breach.
Office says it became aware of a potential breach on May 22 2014, and confirmed it on May 26th. As a result it is resetting users’ passwords.
The good news is that Office does not store any financial information about its customers, so it wasn’t able to lose your credit card or PayPal details.
However, information which was accessed by the hackers included customers’ names, addresses, birth date and month (but not year), password and phone number… if you created your Office.co.uk account prior to August 2013.
Office does not mention anything about the passwords being hashed, salted or even “encrypted”… which possibly means we can expect the worst and that even the most basic protection wasn’t in place to prevent the hackers from exploiting any stolen passwords.
Obviously if you were using the same password anywhere else on the net, you should change it now (and learn to stop reusing passwords!) as a matter of priority.
I was also disappointed to see no mention of the security breach on Office’s home page:
You won’t even find mention of the incident on its blog. Thanks to reader Gary Hawkins who discovered this buried-away link containing further information for concerned customers.
Has no-one learnt anything from eBay’s shambolic response to its own security breach?