Bloggin' la vida loca

Blogging about venture capital, entrepreneurship, technology and MBA studies

  • Blogread
  • Projectstry
  • About mehello

September 9, 2011
Posted by felix

How NOT to do PR: the BuyVIP hack case study

Today, I received a mail by BuyVIP informing me that their database had been hacked. Apparently, the website had been offline for a couple days, and the email explains why. This is a serious security flaw and hack since not only names and email addresses were retrieved, but also birth dates, real shipping addresses as well as phone numbers. Worst of all passwords have been accessed as well.

I assume that BuyVIP was smart enough to only store encrypted passwords, but I am sure that brute-force attacks can retrieve some of these passwords. Worse yet, you as a customer can be sure that your data is now being traded in some shady messaging boards.

Here is the German text BuyVIP sent to its users:

“Sehr geehrtes BuyVIP-Mitglied,

Wir möchten Dich heute darüber informieren, dass es möglicherweise zu einem nicht autorisierten Zugriff auf einige Deiner BuyVIP Kundendaten einschließlich Name, E-mail Adresse. Versandadresse, Geburtsdatum, Telefonnummer sowie dem geschützten Passwort gekommen ist.

Zahlungsinformationen, einschließlich Kreditkarteninformationen, sind nicht betroffen.

Obwohl wir Passwörter in verschlüsselter Form speichern, empfehlen wir Dir als zusätzliche Vorsichtsmaßnahme, Dein Passwort für das BuyVIP Online Portal zu ändern. Diese Empfehlung gilt auch für andere Webseiten, für die Du das gleiche oder ähnliche Passwörter benutzt.

Weiterhin möchten wir Dich darauf hinweisen, dass BuyVIP Dich niemals nach persönlichen Daten oder Log-In und Passwort per E-Mail fragen wird. Solltest Du E-Mails erhalten, die persönliche Daten abfragen oder auf eine Webseite verlinken, auf der Du persönliche Daten angeben sollst, behandle diese bitte mit Vorsicht.

Wir mochten uns bei Dir für die Unannehmlichkeiten entschuldigen.

Falls du derzeit eine Bestellung bei uns offen hast, wird diese von unserem Team weiterhin bearbeitet und Dir wie vereinbart geliefert.

Dein BuyVIP Kundenservice.”

Well,  first of all they should have informed their users earlier if their website was offline for a few days already. But still, they might have needed some time to figure out what went wrong. Really bad I believe is the fact that they are trying to hide this public relations GAU (German for worst-case scenario) from the public! They only inform users with an email, there is no mentioning on other channels, such as their Facebook page, their Twitter account  @clubshopping, their blog http://www.insidebuyvip.com/ or their press page.

I am not the only affected person in the world – just do a quick search on Twitter for #buyvip. Apparently, users are already deleting their accounts.

When I tried to contact BuyVIP on their Facebook page asking them politely why there is so little information, THEY DELETED MY FACEBOOK COMMENT! This is ridiculous, a consumer Internet company that has severe security breaches and lost personal and sensitive user data is purposefully hiding from the public and deletes questions on the matter on Facebook. Very bad PR style. Here is the proof, very lame response in my opinion:
To be fair, it seems that they simply set up the Facebook wall, so that non-BuyVIP posts are moved up, while all others are moved down. So no deleted posts after all. Still, why is there no mentioning of this incident on Facebook? Why do they only send a mail, why on Friday night when few people are active online…?

I hope this bites them back. I will probably follow suit and do what most Twitter users did, delete my account with them. If you were hit, make sure not to respond to weird emails asking for your password and change your password if you used it somewhere else…

 

Update 2011-09-10:

So far I have not been able to find any public statement by BuyVIP and I assume the fact that the media hasn’t picked up at all on this story – unlike the T-Mobile data theft or the very recent Sony hack (German article and English article) – is the “perfect timing”. However, it seems that their whole user base is affected, which means that we are talking about roughly 6mn users!! This is an incredible number given the amount of information the hackers stole. From Twitter and Facebook comments it seems that many users’ data was deleted entirely or personal information was changed. When I logged into my account, my address and phone number was gone and my birth date and home town was changed to some ridiculous values. This could be an indication that backups are not available, why else would BuyVIP switch on their site again with the fake and incomplete data, if they would have had the real data as backup. Bad for them, because not only do they need to regain the trust of their users (many are cancelling accounts according to angry tweets), they also might have to get users to re-enter their data. Will be a tough task…

At the same time, it seems that this is really an international issue since blogs in Poland or Spain are talking about the same email. I wonder whether these emails also had the seemingly innocent email subject “Information zum BuyVIP Online Portal” which translates as “information regarding the BuyVIP online portal”. A fitting subject line according to the gravity of the issue. I am sure that there is a vast amount of users who just deleted this email, because they might have thought it is just another shopping deal newsletter.

4 Comments

Posted Under Entrepreneurship

1 Trackbacks

Pingback: September 2011 Cyber Attacks Timeline (Part I) « Il Blog di Paolo Passeri on September 15, 2011

3 Comments

Minime
September 9, 2011

Well… your posts are still there. The Wall is set up to show BuyVIP only, you have to change the view and scroll down past the BuyVIP posts: http://www.facebook.com/BuyVIP?sk=wall&filter=12

felix
September 10, 2011

Yes, you are right. Saw it as well – my bad! Still, why did they not mention anything at all on their public channels, why send out an email like this Friday evening.

iTomek
September 10, 2011

Thx for backlink, you may be interested in another source http://translate.google.pl/translate?hl=en&sl=pl&tl=en&u=http%3A%2F%2Fniebezpiecznik.pl%2Fpost%2Fwyciek-danych-z-buyvip-pl-teraz-markafoni-pl-serwisu-grupy-allegro%2F

Leave a comment

* = Required

    • Posts
    • Twitter
    • Flickr
     

    Venture capital,...

    Venture Capital

     

    How NOT to do PR:...

    Entrepreneurship

     

    Techbrunch is...

    Entrepreneurship

    Branding 101: Call yourself a microlender, not a loan shark...Doesn't change the representative APR of 1521.0% thoughhttp://t.co/j8iYiLPb

    follow me on
    twitter

    Sorry... I have not set my Flickr
    account up yet
  • Categories

    • Alternative Investments
    • Barcelona
    • Blog
    • Career
    • Entrepreneurship
    • Hedge Funds
    • MBA
      • IESE
    • Private Equity
    • Projects
    • Technology
    • Venture Capital
  • Archives

    • 2012
      • May
    • 2011
      • March
      • August
      • September
    • 2010
      • October
      • November
    • 2009
      • January
      • February
    • 2008
      • December
  • Blogroll

    • Ann’s Blog (USA, IESE MBA ’09)
    • Carmen’s Blog (Romania, IESE MBA ’09)
    • Jared’s Blog (USA, IESE MBA ’09)
    • Wei Yin’s Blog (China, IESE MBA ’09)

This site is using the Handgloves WordPress Theme
Designed & Developed by George Wiscombe

Subscribe via RSS