Vudu Resets User Passwords After Burglary

New submitter Chewbacon writes "If you can't hack it, smash and grab it. Video streaming service Vudu has emailed customers informing them of the theft of hard drives containing customer information. CNET reports the information on the stolen drives included: names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. Vudu's Chief Technology Officer Prasanna Ganesan said while no complete credit card numbers were stored on the hard drives and expressed confidence in password encryption, he felt the need to be proactive with the password reset and encouraged users to be proactive as well should the encrypted passwords become compromised. Vudu fails to mention, perhaps in a downplaying move, the last 4 digits of a credit card and much of the other information stolen is often enough to access an account through virtually any company's phone support."

you data isn't safe

[Nyder]

when the thieves come in thru the window. (No, not Windows OS, but the actual window.)

Re:

[Big Hairy Ian]

Physical security is just as important as online security you can get just as much info out of a PC in a skip as you can online if it wasn't wiped correctly for instance.

Re:

[Anonymous Coward]

If they steal our drives they're none the wiser. Use the OS-provided disk encryption people, the boot drive doesn't necessarily need to be encrypted but databases and log files should be.

To successfully "steal" our data this way the thieves need to arrive with a portable UPS, isolate the right machines, swap them over onto the UPS and then steal them still running, whereupon they can probably use some existing exploit to get past the login screens etc. on console. That's a big ask, considering they have to

Security through obscurity: don't clean up

[captainpanic]

Security through obscurity: My data is safe, even if the thieves break in. No way they can find anything in the mess that I call home. :)

cheap bastards

[FudRucker]

keeping a night-watchman (armed guard) on duty during "off hours" would have more than likely prevented this

Re:cheap bastards

[cbiltcliffe]

Maybe they had a night watchman, and he's the guy that stole the drives.

Re:

[ThatsMyNick]

Cheap bastards. Having a night watchman to watch this watchman would have prevented that.

Also, you should have gone for - Who watches the watchmen. How could you miss it.

Re:cheap bastards

[lxs]

Who watches the watchmen.

I know! That movie is like three hours long.

Re:

[Kardos]

Sounds like you need to increase your maximum recursion depth. With a limit that low, why even support recursion?

Re:

[Qzukk]

Maybe they cut a new back door [datacenterknowledge.com] while the guard was watching the front one.

Who steals HDDs?

[fuzzyfuzzyfungus]

Does used commodity x86 server gear(with hot serial numbers, no less) actually have enough resale value somewhere that it would be reasonable to imagine that the thieves might actually have been after the hardware, or would they have had to have other motives(whether data access, or something else they thought was in the building) to make taking the risk worth it?

I can see the case for smash-n-grabs on consumer gear, especially laptops and iDevices and such, where gullible and/or morally flexible people do

Re:

[jjjacer]

with the price of new drives not falling, maybe the used market has gotten bigger. i know back around the year 2000 at the super computer sales i swear i saw a bin of drives that got ripped out of stolen computers (looks like they were well used and abused and the seller looked like a drug dealer).

Or maybe people dont want to pay for new drives and are resorting to just stealing from places that have a large supply.

Re:

[cdrudge]

Where does it say what type of drive was stolen or what it was in? Backups of a production database on a developers' laptop hard drives for instance would still fit the story if laptops were taken. Or if they were on external drives but used for the same purpose.

Even if they were "enterprise drives" in a server, NAS, SAN, etc there is some used market for them. Probably not the same market that wanted them new, but they'll still sell for the right price.

Re:

[PlusFiveTroll]

If a thief thought he was getting a storage container full of SSDs, that could be enough motivation. Even used they go for big bucks, especially the enterprise ones.

My step-mom had her checking account put on hold once after a spurious transaction showed up on it. Come to find out a computer system from the electronic check processing company that Walmart uses was stolen by an employee and sold to some nefarious group.

Re:

[Orestesx]

Why bother going through all that work when a waitress can just write down the cc number when she swipes your card.

Last 4 digits = bullshit

[Anonymous Coward]

Wish I knew which fucktard started that. The first 4-6 digits identify your card issuer, so if I knew you had a discover card (6011) and the last 4 digits, it would halve the search space for your card and LUHN will take care of a huge chunk of the rest. I once freaked out a coworker by reading her credit card number aloud as she typed it from across the room - she had the same university CC I had, the first 8 digits were the same. Look in your wallet and tell me how many cards you have from the same ban

Re:

[rossdee]

You can cancel that credit card and get a new cc number, and even change your email address. However changing your physical address is a bit more expensive, and changing your date of birth is not possible unless you have a time machine.

Re:

[Anonymous Coward]

Why would these sites need your date of birth ? Might as well give a random one.

Re:

[operagost]

Federal law. Since it's an online service, it would require you to affirm your age is greater than 13 in the USA. They might also have requirements, due to content or similar requirements in other countries.

A secret you have to tell everyone

[jbmartin6]

It strikes me as a little silly to think that the type of personal information on those drives is somehow going to stay a secret. You have to give it to dozens of organizations: banks, employers, stores, and so on. So using this information as a security identifier is a very flawed approach. We seem to accept this since the level of fraud is tolerable. Plus the alternatives such as smart cards are extremely expensive to implement across all of society.

hard drive encryption, anyone

[Lluc]

How much do you bet this data was copied onto someone's laptop, sitting on a desk, rather than a thief breaking into a datacenter and pulling an entire server?

Vudu?

[synapse7]

Anybody hear ever use vudu?

Re:

[nevermore94]

Yup, I use and love VuDu. I currently have 38 movies in my collection on their service. Why, because they are the best online streaming service that supports Android tablets and they also offer the highest resolution streaming in their HDX format for my HTPC and laptop. You can also download local copies for viewing offline on Android tablets. I got much of my collection from redeeming UltraViolet codes from BluRays and also got some as free promotions. WalMart has also partnered with them to put any o

Semi-security through obfsucation

[DewDude]

Yes, I. Use VUDU...solely because every BD I get has a redemption code for Vudu and UltraViolet. I'm not worried; they essentially got data on my that's accessable...last 4 of the CC number? That's been out there since. Everyone else merely just gets hacked. I don't use the same identity details on important things...you couldn't access my back with jus VUDU info...you need several pieces of info for that. At lease they're doing something; most places just say you're on your own and we're sorry...VUDU gave

Proactive proactivity

[zephvark]

Ganesan does not appear to have actually said "proactive" twice, or even once. "New submitter Chewbacon" is apparently a marketing droid.

Re:

[Anonymous Coward]

I see it twice in TFA. Not reading TFA and complaining about TFS? Way to slashdot.