The retailer says that whatever data the crooks have obtained, they weren’t stolen through a breach of its systems
Superdrug is urging its online customers to change their passwords after being contacted by cybercriminals who claim to have secured a range of personal details belonging to 20,000 customers of this British health and beauty retailer, Huffington Post reports.
The personal data are thought to include names, addresses, dates of birth, and phone numbers. One silver lining is that, according to the company’s statement on Twitter, payment information has not been compromised.
“On the evening of 20th August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” reads the company’s email. To prove that the breach was genuine, the criminals sent a portion of the alleged haul to the company.
However, the company said that independent IT security advisors found no evidence of a breach of its systems or “mass data download or extraction” from them.
“They [The IT security advisors] also confirmed that the 386 accounts that were shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to Superdrug,” according to the company’s email.
“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” The Guardian quoted the firm as saying. Known as credential stuffing, this type of attack relies on the fact that internet users commonly recycle their passwords across multiple online accounts.
Superdrug has contacted the police and Action Fraud, which oversees fraud and cybercrime cases. It is also believed, according to ZDNet, that the miscreants attempted to hold the company to ransom in exchange for their silence.
Meanwhile, it has also been reported that as Superdrug’s customers rushed to change their passwords, their attempts were stymied by an “internal server” error. The company acknowledged the issue, saying that the difficulties logging in were “due to the number of people who were using the website, and we apologize for any inconvenience caused”.