Hacker claimed to have the personal information of 20,000 Superdrug users
On Monday, high street health and beauty retailer Superdrug was contacted by an unknown hacker who claimed that he had gained access to personal data of 20,000 store's users, which included names, addresses, dates of births, point balances and contact numbers. The bad actor was asking the firm to pay ransom for the obtained data.
Fortunately, the firm did not rush to fulfill the hacker's demands and proceeded with the correct procedures. No ransom was paid, and the company contacted the Police and Action Fraud (UK's national fraud and cybercrime reporting center) instead to investigate further.
The hacker provided the details of 386 accounts as a proof of the hack. However, the investigation showed no signs of internal system compromise, and that this data was compiled from earlier security breaches. Cybercriminals use previously-obtained credentials to access other accounts – the method is called credential stuffing.It allows bad actors to claim responsibility for a major security breach, asking for money in return.
Credential stuffing relies on users having same passwords for multiple accounts
Credential stuffing is a subset of a brute force attack – a large number of credentials are systematically checked on thousands of other websites. For that type of attack to work, hackers rely on victims who use the same passwords for multiple accounts. This data can be bought on the dark web (for a relatively small sum) and then used by the off-the-shelf automation tools like PhantomJS, Selenium or CURL.
As soon as malicious actors obtain a significant amount of correct credentials, they can access the accounts of hundreds of people, harvesting the data that is hidden inside, such as names, addresses, emails, and similar. As a result, hackers can then contact the allegedly hacked organization and demand ransom payment, providing the data as proof in return.
Researchers warn that these kinds of attacks might become more common in the future, and organizations should employ adequate tools to protect themselves. The security software used should be able to identify how fast the credentials are entered (indicating a bot's presence), or even how the tablet or other device is held.
Several customers were disappointed, despite the company's efforts
As soon as the incident occurred and the investigation was launched, Superdrug rushed to inform the customers whose data might have been breached:
We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.
The firm then followed up with an email that was sent to all the potential victims and confirmed it on Twitter:
To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.
Superdrug urged users to change their passwords immediately because the information retained on the account may have been compromised. Fortunately, no credit card or payment information could have been breached. While the company undertook correct procedures, many users were unhappy about the ordeal, claiming that the firm did not apologize properly.
As a result of the announcement, Superdrug's users had troubles logging into their accounts, which made some particularly unhappy. However, the organization reacted adequately to the situation and should not be blamed. Nevertheless, the firm later issued an apology, stating:
We are very sorry for the inconvenience and concern this has caused
Superdrug is not the first UK company targeted by hackers, as the data breaches of TalkTalk, Currys and Carphone Warehouse proves. Unfortunately, we could expect similar incidents in the future, so users should make sure to change their passwords often and never use the same ones for multiple accounts.