CEX customer database compromised

37
Found 29th Aug 2017
Dear Customer,

We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.

The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.

Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.

What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.

What we suggest you do?

  • Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
  • If you used the same password elsewhere, we also suggest that you change your password for those accounts.


Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: guidance@webuy.com where we will be compiling the most frequently asked questions, which will then be updated via uk.webuy.com/guidance

We apologise for inconvenience this may cause.

Yours sincerely,

David Mullins
Managing Director


Questions & Answers

How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.

Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.

What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.

What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.

What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.

What should I do?
We advise that you change your webuy.compassword, as well as any other online accounts where you may share the same password, as a precautionary measure.

Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.

Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.

What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

If you have any questions, please don’t hesitate to visit uk.webuy.com/guidance or email us at: guidance@webuy.com.
Community Updates
Misc
Top comments
I got the email earlier, although I'm having trouble remembering my password....so if the person who hacked them is reading this could you email me my password, appreciated thanks in advance
36 Comments
They don't really hold any details do they?

I mean name, address, age and what you've sold?

Edit; oh online customer card details?
Edited by: "catbeans" 29th Aug 2017
catbeans8 m ago

They don't really hold any details do they?I mean name, address, age and …They don't really hold any details do they?I mean name, address, age and what you've sold?Edit; oh online customer card details?



As stated above (copy'n'pasted/transposed by @MSK.)...

---
What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.

What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.
---
fanpages3 m ago

As stated above (copy'n'pasted by @MSK )...---What does the data …As stated above (copy'n'pasted by @MSK )...---What does the data include?The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.What about financial data?A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.---




Yeah hence why edited. I never believe what companies say has been compromised, but in this case there isn't much to compromise.
catbeans7 m ago

Yeah hence why edited. I never believe what companies say has been …Yeah hence why edited. I never believe what companies say has been compromised, but in this case there isn't much to compromise.



The data ("first name, surname, addresses, email address and phone number if this was supplied") is surely enough to warrant a modicum of concern, I would have thought.

Almost 90 minutes after this thread was created & I have not received any notification to the e-mail address that CeX has registered in their records.

Perhaps my details were not disclosed.
fanpages38 m ago

The data ("first name, surname, addresses, email address and phone number …The data ("first name, surname, addresses, email address and phone number if this was supplied") is surely enough to warrant a modicum of concern, I would have thought.Almost 90 minutes after this thread was created & I have not received any notification to the e-mail address that CeX has registered in their records.Perhaps my details were not disclosed.


was it an online account or did you only deal in store?

i'm the latter which going by the information, means this data hasnt been compromised
Original Poster
fanpages1 h, 31 m ago

The data ("first name, surname, addresses, email address and phone number …The data ("first name, surname, addresses, email address and phone number if this was supplied") is surely enough to warrant a modicum of concern, I would have thought.Almost 90 minutes after this thread was created & I have not received any notification to the e-mail address that CeX has registered in their records.Perhaps my details were not disclosed.


It arrived just after 7pm, so I expect you would have been notified by now if there was a problem. I would hope anyway.
MSK.24 m ago

It arrived just after 7pm, so I expect you would have been notified by now …It arrived just after 7pm, so I expect you would have been notified by now if there was a problem. I would hope anyway.



Still nothing by e-mail to me (over 3 hours since your opening post).

I have only placed one (web site-initiated) order with CeX (& that was in January this year).
I have never sold anything to them (online or within a branch).
adamspencer951 h, 19 m ago

was it an online account or did you only deal in store? i'm the latter …was it an online account or did you only deal in store? i'm the latter which going by the information, means this data hasnt been compromised



Not so with my experience (see above, adam').

I've just now had the same email through - I expect that they've probably had a lot to work through, hence the delay.

Password duly changed, but I can't say that I'm too conerned here personally. It helps that my credit card has just expired anyway and they definitely don't yet have details of my new card.
They're contacting 2M customers. Just had the email. They don't keep card details after 2009.
Got my email about eight
Poor show down with them
Original Poster
fanpages59 m ago

Still nothing by e-mail to me (over 3 hours since your opening post).I …Still nothing by e-mail to me (over 3 hours since your opening post).I have only placed one (web site-initiated) order with CeX (& that was in January this year).I have never sold anything to them (online or within a branch).


I think my account is new-ish, but not as new as yours. There goes my theory about them mailing people by account age.
What about bank account details if you sold things online?
I got the email earlier, although I'm having trouble remembering my password....so if the person who hacked them is reading this could you email me my password, appreciated thanks in advance
No sign of an email for me and I've had my account for a good couple years now I think. Changed the password anyway and went through as many sites as I could think of that may have shared it. Turned out a couple old sites did which I haven't used in a long time from gaming deals we found on this site so had to change those too
Edited by: "CoolDude0123" 30th Aug 2017
If you've not found an email, don't forget to check in spam folder just in case
deleted5795930th Aug 2017

Received 2 emails one for an older account and one for a newer …Received 2 emails one for an older account and one for a newer account.older account was emailed at 23:57 the newer account was 22:31maybe emailing them backwards?I would also like to know about BT details.



That was a glaring omission in the email.
Original Poster
Splashmo7 m ago

That was a glaring omission in the email.


I have a feeling there's an image in this comment and it's not loading for me.
I recon the "breach" is that they sold the old hard drive with the data on at a price you could buy a brand new one.
you can check if your email address was one by using this site

haveibeenpwned.com/
julieallen1 h, 11 m ago

you can check if your email address was one by using this …you can check if your email address was one by using this sitehttps://haveibeenpwned.com/



Translation: Provide your e-mail address to an unknown third party so they know it is a live address you use for access to a web site.
fanpages34 m ago

Translation: Provide your e-mail address to an unknown third party so they …Translation: Provide your e-mail address to an unknown third party so they know it is a live address you use for access to a web site.


rubbish, he is extremely well known.
Original Poster
julieallen2 m ago

rubbish, he is extremely well known.


Who is s/he? And who else has access to the database?
MSK.7 m ago

Who is s/he? And who else has access to the database?


He works for Microsoft, his database? I have no idea, no one I expect. If you mean the hacked data probably thousands of people worldwide who downloaded it when it was made public.
julieallen2 h, 20 m ago

you can check if your email address was one by using this …you can check if your email address was one by using this sitehttps://haveibeenpwned.com/



fanpages1 h, 8 m ago

Translation: Provide your e-mail address to an unknown third party so they …Translation: Provide your e-mail address to an unknown third party so they know it is a live address you use for access to a web site.



julieallen34 m ago

rubbish, he is extremely well known.



Rubbish; he isn't.
fanpages6 m ago

Rubbish; he isn't.


just because you haven't heard of him it doesn't mean he's not well known, just google his name theres usually articles mentioning him in national press and major websites.He works with microsoft I should have said.
julieallen25 m ago

just because you haven't heard of him it doesn't mean he's not well known, …just because you haven't heard of him it doesn't mean he's not well known, just google his name theres usually articles mentioning him in national press and major websites.He works with microsoft I should have said.



Conversely, just because you have heard of him doesn't mean he is well known, or "extremely well known" as you first mentioned above.

I have worked with Microsoft in the past (as welll as turning down an offer of employment to work for them), & I have also worked with Pfizer (on two separate occasions)... and I still don't know Troy Hunt!

Then again, none of these associations were in Mr Hunt's homeland of Australia.
...Back on topic...

I still have not received any e-mails from CeX.

31865179-Qpali.jpg
guardian
fanpages31 m ago

Conversely, just because you have heard of him doesn't mean he is well …Conversely, just because you have heard of him doesn't mean he is well known, or "extremely well known" as you first mentioned above.I have worked with Microsoft in the past (as welll as turning down an offer of employment to work for them), & I have also worked with Pfizer (on two separate occasions)... and I still don't know Troy Hunt!Then again, none of these associations were in Mr Hunt's homeland of Australia.


well a quick google today shows he is mentioned in the daily mail , guardian, metro, engadget, ABC, to name a few, so considering how many people will have read that, even forgetting about the fact the site has been round for ages, and is regularly quoted when there are data leaks, I would say that makes him well known.
Your comment implied there was something dodgy about his site, care to back that assertion up at all, or did you just make it up?
julieallen15 m ago

guardian well a quick google today shows he is mentioned in the daily mail …guardian well a quick google today shows he is mentioned in the daily mail , guardian, metro, engadget, ABC, to name a few, so considering how many people will have read that, even forgetting about the fact the site has been round for ages, and is regularly quoted when there are data leaks, I would say that makes him well known...



No, it doesn't. It means the same article/interview is being reproduced across all the news outlets you mentioned (today & a couple of days ago).

Searching for "Troy Hunt" produces a certain quantity of results, as you stated.
However, searching for "Troy Baker" (for example; somebody I do know about) produces a higher number of results.

It proves nothing. It just means the definition of "(extremely) well known" is subjective.

Ask somebody "on the street" who Troy Hunt is, & they will have little-to-no idea about this expert in their field, if they do not attend Software Developer Conferences, or follow his blog. Ask them again in six months & they'll have even less idea (if that could be possible).

julieallen15 m ago

...Your comment implied there was something dodgy about his site, care to …...Your comment implied there was something dodgy about his site, care to back that assertion up at all, or did you just make it up?


It wouldn't be an assertion if I provided a reason or proof.
Original Poster
julieallen2 h, 40 m ago

He works for Microsoft, his database? I have no idea, no one I expect. If …He works for Microsoft, his database? I have no idea, no one I expect. If you mean the hacked data probably thousands of people worldwide who downloaded it when it was made public.


So you don't know who has access then *shurgs* could be anyone.

Confirmation that the e-mail address is A) real and B) is use, is not public knowledge on the internet.

Or C) it could even be a new addition to the database completely, if the search turns up no results.
Original Poster
julieallen1 h, 55 m ago

guardian well a quick google today shows he is mentioned in the daily mail …guardian well a quick google today shows he is mentioned in the daily mail , guardian, metro, engadget, ABC, to name a few, so considering how many people will have read that, even forgetting about the fact the site has been round for ages, and is regularly quoted when there are data leaks, I would say that makes him well known. Your comment implied there was something dodgy about his site, care to back that assertion up at all, or did you just make it up?


Whether or not the site is dodgy, I think it's more about the issue you are confirming what is in there is real. Plus adding more information to it by searching.
Edited by: "MSK." 1st Sep 2017
fanpages3 h, 50 m ago

No, it doesn't. It means the same article/interview is being reproduced …No, it doesn't. It means the same article/interview is being reproduced across all the news outlets you mentioned (today & a couple of days ago).Searching for "Troy Hunt" produces a certain quantity of results, as you stated.However, searching for "Troy Baker" (for example; somebody I do know about) produces a higher number of results.It proves nothing. It just means the definition of "(extremely) well known" is subjective.Ask somebody "on the street" who Troy Hunt is, & they will have little-to-no idea about this expert in their field, if they do not attend Software Developer Conferences, or follow his blog. Ask them again in six months & they'll have even less idea (if that could be possible).It wouldn't be an assertion if I provided a reason or proof.



yeah ok, I've known about the site for at least 3 years, its widely used, and has been quoted in the press numerous times over the years like here from 2015 and here from 2016, wikipedia here says it gets over 10k hits a day and has over a million email subscribers. That qualifies it as being well known in my view. I won't bother trying to help in the future.
julieallen6 m ago

yeah ok, I've known about the site for at least 3 years, its widely used, …yeah ok, I've known about the site for at least 3 years, its widely used, and has been quoted in the press numerous times over the years like here from 2015 and here from 2016, wikipedia here says it gets over 10k hits a day and has over a million email subscribers. That qualifies it as being well known in my view. I won't bother trying to help in the future.



Wikipedia is not necessarily quoting verifiable/correct statistics, but OK.

Point proven.

Establishing a memory of an individual to be instantly recognisable is subjective.

Your help was probably useful to somebody.
Post a comment
Avatar
@
    Text

    Top Discussions

    Top Merchants