Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security Businesses Data Storage Databases Privacy The Internet

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com) 37

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."
This discussion has been archived. No new comments can be posted.

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users

Comments Filter:
  • by Anonymous Coward

    Hashing passwords isn't new. So why are people still storing plaintext passwords?

    "We just want a webshop" -- Yeah but you're selling expensive luxury goods. That makes addresses of buyers very interesting, don't you think? WHY EVEN KEEP THAT DATA ONLINE?!?

    What were you thinking? "We just want a webshop." Right. You were not thinking, nor were the webmonkeys you hired for your webshit. Congratulations, you done leaked, and now your customers' data is all over the place.

    • lot's of apps put DB passwords in plaintext is config files

    • Hashing passwords isn't new. So why are people still storing plaintext passwords?

      Hashing passwords doesn't work. That so many are STILL advocating demonstrably worthless course of action scares me more than the revelations of this jewelry site.

      Simple truth is passwords chosen by mortals have insufficient entropy to stand on their own regardless of salts, amplifiers, hash algorithm or wishful thinking (e.g. password policy and training). I don't care if these things make it thousands or millions of times harder in practice. With 1.3 million users the outcome is still comically unacce

  • But the phrase gross criminal negligence come to mind.

    In an ideal world, wanton disregard of decades old security standards should land executives with some fines and possible jail time. For a criminal case, some kind of applicable statute would have to be dug up.

    For a civil case, that's way easier. You have to show that it is likely (really a >50% chance) that their actions, negligence or policties lead to some damages. Nobody goes to jail. But some lawyers can get rich settling a million dollar class a

    • Yep, plain-text passwords... damn, the level of incompetence that could lead someone to believing this is acceptable these days must be really something. This is not the year 2000 (the probable age of this system), where you might expect a few less-than-competent people haven't gotten the word on best industry practices. This isn't even storing password hashes with outdated crypto and without salt. If the report as implied is accurate, this is pants-on-head level stupidity. You really can't explain your

  • ... incompetence and gross negligence on this (admittedly extreme) level will remain common. My suggestion: Immediate payout of $500 to anybody affected, and full cost to anybody that can prove they suffered more damage. If they cannot pay, CEO goes to prison for a few years and has personal fortune impounded. This will lead to companies having insurance for this and insurers taking a critical look at their practices.

    • That will lead to a couple more paragraphs on their privacy policy [limogesjewelry.com] and user agreement [limogesjewelry.com]. That is all.

      Besides can't people sue over breach of contract under the privacy policy and terms of use already? Looking at the agreements it seems a fairly straightforward breach of;

      "Limogés Jewelry collects information that you volunteer in order to process your order, to inform you of special offers, and so that you may receive superior customer service. We do not share your e-mail address with anyone outs
    • My suggestion: Immediate payout of $500 to anybody affected

      You need to get a grip on reality. A quick Google search says Limoges Jewelry has annual revenue $7.5M. Let's say they have a 10% net profit (unlikely to be that high). That gives them $750k in available cashflow. So for the 1.3M affected, that is 57 cents each. Metered first class mail costs 46 cents, plus 5 cent for the envelope and check, and that leaves 6 cents. If you really think that $500 per person is realistic, you need to explain where the other 99.9% of the money is going to come from.

  • This is how companies participate in the mass surveillance program.
    They 'accidentally' leave all of there customer's info in an unsecured location and pretend it was a snafu.
    This has been happening A LOT. And no one is learning anything from all these stories?
    The system is trying to appeal to your good, trusting, forgiving nature. Do not fall for it.

    There is a war being waged against every single one of us by the people sworn to protect us.

  • Now you have 1.3 million friends in the diamond business!

  • It should be a crime to store plaintext passwords for users on any web site where the public can create ids. There is no reason for it and it's been decades since it was an unacceptable practice on any computer system.

    Of course, once it's a crime, civil liability follows.

  • Mariners and pilots have known for a long time what clouds mean - DANGER!

    Where was this file found? In the "safety" of the cloud, along with hundreds of thousands of other sensitive files placed there for "safety".

  • Some good gems in the .htaccess file downloadable from here [initializr.com] Of particular interest might be this section to block access to files that end in certain extensions. https://pastebin.com/16Xn1gSs [pastebin.com]
  • Some good gems in the .htaccess file downloadable from here [initializr.com] Of particular interest might be this section to block access to files that end in certain extensions.
    https://pastebin.com/16Xn1gSs [pastebin.com]

  • Some good gems in the .htaccess file downloadable from here [initializr.com] Of particular interest might be this section to block access to files that end in certain extensions.
    https://pastebin.com/16Xn1gSs [pastebin.com]

  • clear text passwords and unprotected databases, we have learned nothing.
    and these things are not even difficult or expensive to implement - there is no excuse here.

  • Obviously storing passwords in plain-text is frowned upon. To protect the database and backups you can enable encryption which is really easy to do in the SQL admin tool. This way everything is protected. I'd still use HASH and SALT for storing passwords.

  • A couple million bribe to the lawyers of the class action suit, vouchers for 20% discount to the ones affected by the leak. Heck, the company might MAKE money on the deal.

    As long as there are no repercussions at all for leaking data, there will be no incentive for securing data.

    Storing unhashed passwords in a database means that there will be a major leak, guaranteed. That should be just as illegal as intentionally giving customer details away for money. There needs to be criminal penalties not just civil o

  • The company was incompetent but they likely didn't know they were incompetent. People who are good cost a lot of money and someone for half the wage will likely bang out something that looks great using the latest web platform of the month in half the time the high priced guy will take. A CEO, who doesn't know how to program can't evaluate who is good and who isn't. This was a screw up and combined with the fact that almost everyone reuses passwords potentially a major expense for a few people. Bankrupt
  • In law "very great negligence" is a lesser used but equivalent term to "gross negligence".

    Research before [sic]ing.

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.

Working...