September 9, 2011
Posted by felix
How NOT to do PR: the BuyVIP hack case study
Today, I received a mail by BuyVIP informing me that their database had been hacked. Apparently, the website had been offline for a couple days, and the email explains why. This is a serious security flaw and hack since not only names and email addresses were retrieved, but also birth dates, real shipping addresses as well as phone numbers. Worst of all passwords have been accessed as well.
I assume that BuyVIP was smart enough to only store encrypted passwords, but I am sure that brute-force attacks can retrieve some of these passwords. Worse yet, you as a customer can be sure that your data is now being traded in some shady messaging boards.
Here is the German text BuyVIP sent to its users:
“Sehr geehrtes BuyVIP-Mitglied,
Wir möchten Dich heute darüber informieren, dass es möglicherweise zu einem nicht autorisierten Zugriff auf einige Deiner BuyVIP Kundendaten einschließlich Name, E-mail Adresse. Versandadresse, Geburtsdatum, Telefonnummer sowie dem geschützten Passwort gekommen ist.
Zahlungsinformationen, einschließlich Kreditkarteninformationen, sind nicht betroffen.
Obwohl wir Passwörter in verschlüsselter Form speichern, empfehlen wir Dir als zusätzliche Vorsichtsmaßnahme, Dein Passwort für das BuyVIP Online Portal zu ändern. Diese Empfehlung gilt auch für andere Webseiten, für die Du das gleiche oder ähnliche Passwörter benutzt.
Weiterhin möchten wir Dich darauf hinweisen, dass BuyVIP Dich niemals nach persönlichen Daten oder Log-In und Passwort per E-Mail fragen wird. Solltest Du E-Mails erhalten, die persönliche Daten abfragen oder auf eine Webseite verlinken, auf der Du persönliche Daten angeben sollst, behandle diese bitte mit Vorsicht.
Wir mochten uns bei Dir für die Unannehmlichkeiten entschuldigen.
Falls du derzeit eine Bestellung bei uns offen hast, wird diese von unserem Team weiterhin bearbeitet und Dir wie vereinbart geliefert.
Dein BuyVIP Kundenservice.”
Well, first of all they should have informed their users earlier if their website was offline for a few days already. But still, they might have needed some time to figure out what went wrong. Really bad I believe is the fact that they are trying to hide this public relations GAU (German for worst-case scenario) from the public! They only inform users with an email, there is no mentioning on other channels, such as their Facebook page, their Twitter account @clubshopping, their blog http://www.insidebuyvip.com/ or their press page.
I am not the only affected person in the world – just do a quick search on Twitter for #buyvip. Apparently, users are already deleting their accounts.
When I tried to contact BuyVIP on their Facebook page asking them politely why there is so little information, THEY DELETED MY FACEBOOK COMMENT! This is ridiculous, a consumer Internet company that has severe security breaches and lost personal and sensitive user data is purposefully hiding from the public and deletes questions on the matter on Facebook. Very bad PR style. Here is the proof, very lame response in my opinion:
To be fair, it seems that they simply set up the Facebook wall, so that non-BuyVIP posts are moved up, while all others are moved down. So no deleted posts after all. Still, why is there no mentioning of this incident on Facebook? Why do they only send a mail, why on Friday night when few people are active online…?
I hope this bites them back. I will probably follow suit and do what most Twitter users did, delete my account with them. If you were hit, make sure not to respond to weird emails asking for your password and change your password if you used it somewhere else…
Update 2011-09-10:
So far I have not been able to find any public statement by BuyVIP and I assume the fact that the media hasn’t picked up at all on this story – unlike the T-Mobile data theft or the very recent Sony hack (German article and English article) – is the “perfect timing”. However, it seems that their whole user base is affected, which means that we are talking about roughly 6mn users!! This is an incredible number given the amount of information the hackers stole. From Twitter and Facebook comments it seems that many users’ data was deleted entirely or personal information was changed. When I logged into my account, my address and phone number was gone and my birth date and home town was changed to some ridiculous values. This could be an indication that backups are not available, why else would BuyVIP switch on their site again with the fake and incomplete data, if they would have had the real data as backup. Bad for them, because not only do they need to regain the trust of their users (many are cancelling accounts according to angry tweets), they also might have to get users to re-enter their data. Will be a tough task…
At the same time, it seems that this is really an international issue since blogs in Poland or Spain are talking about the same email. I wonder whether these emails also had the seemingly innocent email subject “Information zum BuyVIP Online Portal” which translates as “information regarding the BuyVIP online portal”. A fitting subject line according to the gravity of the issue. I am sure that there is a vast amount of users who just deleted this email, because they might have thought it is just another shopping deal newsletter.
1 Trackbacks
3 Comments
September 9, 2011
Well… your posts are still there. The Wall is set up to show BuyVIP only, you have to change the view and scroll down past the BuyVIP posts: http://www.facebook.com/BuyVIP?sk=wall&filter=12
September 10, 2011
Yes, you are right. Saw it as well – my bad! Still, why did they not mention anything at all on their public channels, why send out an email like this Friday evening.
September 10, 2011
Thx for backlink, you may be interested in another source http://translate.google.pl/translate?hl=en&sl=pl&tl=en&u=http%3A%2F%2Fniebezpiecznik.pl%2Fpost%2Fwyciek-danych-z-buyvip-pl-teraz-markafoni-pl-serwisu-grupy-allegro%2F
Leave a comment