search

vz-risk / VCDB

VERIS Community Database
Other
573 stars 180 forks source link

MALL.cz breached #10081

Open swidup opened 7 years ago

swidup commented 7 years ago

https://haveibeenpwned.com/PwnedWebsites#MallCZ

swidup commented 7 years ago

https://blog.mall.cz/o-nas/q-a-vse-co-jste-chteli-vedet-o-bezpecnosti-na-mall-cz-451.html

Translation:

Did you receive an email informing you of a password change to your account, and would you like to know more? We have recently experienced a security breach attempt that touched an older database of user accounts that did not have a strong enough password. We did not expect anything, and we decided to reset a portion of the passwords to customer accounts to prevent any possible abuse.

You are certainly interested in what it means to you and what you should do if you want to avoid similar difficulties in the future. That's why we've put together answers to the most common questions. If you still can not find an answer to what you are interested in, let us know - we'll solve it all together.

Q: Can I verify that this situation also applies to my specific password? If you created your account in 2015 and later, this situation is most likely not related to you, the security breach applies to the older database of customer accounts. Likewise, you probably will not be in danger if you have chosen a strong password according to current security standards. For sure, we've created a special web application for you to simply enter your email and we'll let you know if this situation applies to you as well.

This app is available here - https://www.mall.com/safety

Q: Does my account not work, how can I restore it? You do not have to worry about canceling your account - just resetting your passwords. You can simply recover the password without losing any of your data. Setting up a new password is easy. When you sign in to your user account at MALL.cz, select "I forgot the password", enter your e-mail, which you will be prompted to enter a new password to activate your account. Alternatively, you can click https://www.mall.com/user/password-recovery/recovery and follow the instructions.

Q: How can I change the password to my MALL.cz account? Setting up a new secure password is easy. When you sign in to a user account at MALL.cz, select "I forgot the password" and enter your email. You will be prompted to enter a new password to reactivate your account. Alternatively, you can click https://www.mall.com/user/password-recovery/recovery and follow the instructions.

Q: How should I ideally secure my account to be protected in the future? You should choose a password that meets current security standards. A secure password is either composed of at least eight characters including digits, a combination of lower and upper case letters and special characters such as% and #, or a very long password, consisting of, for example, four or five words that are not a phrased phrase. You should also not use the same password on multiple accounts. Because remembering safe passwords for all of your accounts is almost impossible, we recommend that you use a password management program called a password manager. Examples are 1Password, Lastpass, Enpass or KeePass. Current security standards for password creation are described, for example, here: https://www.root.cz/clanky/novy-standard-pro-prihlasovani-nenutte-uzivatele-menit-hesla/

Q: Could someone in my MALL.cz account misuse my credit card when I usually pay for my card? (this is a PayU system)

No, there is no such thing as there is no data stored in the MALL.cz client center anywhere that makes it possible to make a payment. However, if you have a payment card stored in, for example, another e-shop where you use the same password as MALL.cz, we recommend that you change your password immediately.

Q: What happens if I do not change my password and use it elsewhere than on MALL.cz? If you use the same combination of emails and passwords as MALL for other services (Facebook, e-mail, other e-shops), there is a risk that someone else will sign up for these services under your identity. Therefore, we recommend that you change your password immediately and choose one that meets security standards.

Q: How do you protect my access data and what do you do to prevent the situation from happening again? Since November 2012, password security has been provided by the SHA1 + hashing method of unique salts, and since October 2016 we have protected the access data from one of the strongest bcrypt hashing methods. By 2012, data was discharged using MD5, which is no longer considered safe. Most broken passwords come from the time this method was used. For older accounts, therefore, we changed the password and automatically converted it to the latest bcrypt hashing method, which we currently protect access data for all accounts. In the field of IT, of course, we are constantly strengthening security measures according to the highest and most up-to-date standards.

In this particular case, we have filed a criminal complaint and we are working hard to detect the perpetrator.

Q: What do I think of as "customer data"? And how could they possibly be further abused? Customer data includes name, surname, email, password, and phone numbers for some users. Even though you do not use your MALL.cz account often, you should pay attention to its security. If your password will