Customers of a number of UK clothing and accessories websites have had their personal information exposed following a security breach at an IT services provider that they were sharing.
Brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, DLSB (Dirty Little Style Bitch), and Traffic People entrusted web development and ecommerce company Fashion Nexus to help them build an online store.
Unfortunately, something went wrong (Fashion Nexus, and its sister company White Room Solutions, refuses to say what), and white hat hacker Taylor Ralston was able to access a server containing a shared database containing personal details of the online clothing stores’ customers.
In all, the exposed information contains personal information of approximately 1.3 million users, including password hashes (MD5 and SHA-1, both salted), names, dates of birth, email addresses, phone numbers, and other data. There is no indication that payment card information was put at risk.
You won’t know any of this from visiting the Fashion Nexus or White Room Solutions websites, as they are refusing to issue any public statement.
When I asked White Room if they would be issuing a statement, their response was pretty emphatic.
(By the way, in an unconnected boo-boo, the White Room Solutions and Fashion Nexus websites don’t support HTTPS – which doesn’t exactly instil confidence that they’re top of their game when it comes to advising on ecommerce.)
However, White Room Solutions does tell me that it has informed the affected brands, and that it is leaving it up to the affected brands to contact their exposed customers about their data being breached, as well as inform the Information Commissioner’s Office (ICO).
White Room Solutions were also prepared to confirm to me privately that they had resolved the security issue:
“The breach was via a site that has subsequently been taken down and is considered resolved.”
I can find no mention of the data breach on the websites of the brands involved, so new customers will not know that there have been security problems in the past.
If any customers of the affected online stores happen to read this I would be fascinated to hear if you have received a notification from the websites concerned, warning you that your personal data was put at risk.
Update 31 July 2018: One of the affected firms, Jaded London, has issued the following statement:
Jaded London are aware of a data breach that affected a historic database, stored on a server run by Fashion Nexus. The information that was accessible at this time was limited to data related to shipping of archived orders and no time was sensitive data, such as payment details, stored or accessible. Jadedldn.com is not and was not managed by Fashion Nexus at the time of the breach, and at no time was the Jadedldn.com live website compromised. As part of our dedication to the security of our customers and their data, we are in contact with the ICO and continue to review our security with our current developers and providers. We would welcome any customers who are concerned about their data to contact us directly.
Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.
I have been a costumer at AX Paris for a couple of years. I have not received any information about the data breach incident.
Sorry to hear that Kaya. I contacted AX Paris before publishing my article, but still haven't received a response from them.
I got notification via haveibeenpwned but not from the site direct yet. Being a whitehat who did the breach, does that mean there is no actual breech but only the possibility that someone was able to do before what the whitehat did?
Either way, good idea to not only use a password manager (I personally use LastPass) but also ensure you use a reputable bank for making online purchases as they often give additional protection when websites/password fail
Well, a security breach occurred because the data was accessible to an unauthorised party.
As far as I'm aware the whitehat hacker who stumbled across the data has no intentions to make it public. However, we have no way of knowing how long the data was at risk, or if other unauthorised parties may have accessed it.
It's disturbing that no-one has seen any data breach notifications from the companies concerned yet, and if this site and HaveIBeenPwned hadn't shone a light on it maybe no-one would have ever known.
Is there a list of companies involved? I recieved a notification from 'have I been pwned' but nothing from anywhere I have shopped with.
I'm afraid that if you're not a customer of one of the companies I list above you will probably have to contact White Room Solutions/Fashion Nexus to ask them how come your credentials were in their database. Hmm. Good luck with that…
Fashion Nexus discloses the breach on its website now. White Room, as far as I can see, does not.
From the Fashion Nexus website:
Customer records expose nothing more than email address, encrypted password, optionally name, and optionally telephone number.
Is this true? This seems at odds with the list of data fields mentioned above.
No, it was more information than that. For instance, some customers' physical addresses, IP addresses, etc.
Also, according to the white hat who came across the problem, DLSB's database was not compromised but customer order information did leak from a poorly-secured mailbox, "due to smtp config information left there by White Room."
On balance, I thought the comment about the company websites not supporting HTTPS was unfair. These are purely informational sites as far as I can see. There are no forms, no personal information, no accounts and therefore are of negligible benefit to anyone who might target the sites for nefarious purposes.
Having been in the IT Security Industry for around 15 years, I do appreciate how potentially serious this could be, however each case must be judged by its own merit.
Since GDPR it seems there is a bit of a witch-hunt for the most minor of slip-ups for what are generally small companies, struggling to make a buck in a very competitive industry. The negligence I have seen in large corporations makes this data breach seem petty in comparison, hardly worthy of a headline. Given the traditionally 'low impact' nature of the information leaked in this case, if it is indeed as reported, I think we have to take it with a pinch of salt.
I agree with you that the lack of HTTP support on the Fashion Nexus and White Room Solutions sites is not the worst security transgression in the world – but I do believe it says something about how "on-the-ball" they are when it comes to the direction the web (and browsers) are moving.
The real problem here is the data breach, and the lack of transparency, and the failure to inform customers. I suspect that customers simply would never have known about this incident at all unless parties external to the company that was hacked had got involved.
Kudos to the white hat for attempting to responsibly disclose his findings to the company (they didn't reply to him), and then his reaching out to me and Troy Hunt from HaveIBeenPwned.
I have only just found out about this breach, and to let you all know the information they got is on the dark web they got email addresses date of birth and passwords I found out by doing a search on credit score and the info was shared 54 time. Disgusted that axa did not inform any of its customers as I wasn’t informed by them and I find out later on, I will never shop online with them again.
Elle Belle Attire did not alert any customers to this. Have only found out through ClearScore and my own research! Will not be shopping with them again!
I have only just discovered all my personal information is on the dark web because of ax Paris, was never informed and know through clear score! Didn’t even know who white room were until I found this post!