COTD hacked May 7 2011. Informing customers now

Just received an email from them.. Standard COTD

Full email

Data se­cu­rity is very im­por­tant to us, which is why we need to let you know about some de­vel­op­ments af­fect­ing mem­ber ac­counts cre­ated be­fore 7 May 2011.

If you have not changed your pass­word on Catchoftheday.​com.​au since 7 May 2011, we ad­vise you to change your pass­word. If you have changed your pass­word since that time, no fur­ther ac­tion on our web­site is nec­es­sary, but we nev­er­the­less en­cour­age our users to reg­u­larly change their pass­words.

It is al­ways good prac­tice to have unique pass­words for every web­site that you use. If you used the same pass­word for Catchoftheday.​com.​au as other web­sites in 2011 we rec­om­mend that you change all of those pass­words as well.

In early 2011, Catchofthe­day and other on­line re­tail­ers were tar­geted by an il­le­gal cyber in­tru­sion, which com­pro­mised names, de­liv­ery ad­dresses, email ad­dresses and hashed (en­crypted) pass­words. In some cases credit card data was com­pro­mised. Other web­sites in our Group were not af­fected.

At the time, we im­me­di­ately in­formed po­lice, banks and credit card com­pa­nies who as­sisted us in tak­ing ac­tion to pro­tect our users, which in­cluded can­celling credit cards and launch­ing in­ves­ti­ga­tions into the per­pe­tra­tors.

We have also since in­formed the Aus­tralian Pri­vacy Com­mis­sioner.

With tech­no­log­i­cal ad­vances it means there is an in­creas­ing risk that those hashed pass­words may be­come com­pro­mised, which is why we are ask­ing all those users with ac­counts cre­ated be­fore 7 May 2011 to change their pass­words.

Our se­cu­rity net­works are con­tin­u­ally evolv­ing and have un­der­gone major up­grades to keep in line with in­dus­try stan­dards and best prac­tices. We have bet­ter tech­nol­ogy, bet­ter pro­ce­dures and a big­ger team ded­i­cated to en­sur­ing your ex­pe­ri­ence with us is safe and se­cure. We reg­u­larly un­der­take ex­ter­nal re­views and au­dits to en­sure that our sites and your data are as se­cure as pos­si­ble.

We sin­cerely apol­o­gise to our loyal cus­tomers that these events oc­curred and can as­sure you that we have ded­i­cated sig­nif­i­cant re­sources to se­cu­rity and pri­vacy to avoid these events in fu­ture.

If you need more in­for­ma­tion, please read below.

How do I change my pass­word?

You can change your pass­word by log­ging into your ac­count, click­ing 'My Ac­count' in the right hand cor­ner, and then the 'Pass­word' tab.

How do I know if I was af­fected?

Only ac­counts cre­ated be­fore 7 May 2011 are af­fected and only those users are re­ceiv­ing this email. If your ac­count was cre­ated after that date, you do not have to do any­thing. How­ever, we rec­om­mend all users reg­u­larly change their pass­words.

What in­for­ma­tion do you cur­rently have about me?

We gen­er­ally only store what we need to com­plete a trans­ac­tion. We re­quire your name and de­liv­ery ad­dress de­tails so we can send items to you and your email so we can con­tact you.

We do not store a full credit card num­ber and pay­ments are processed through a third party bank.

More in­for­ma­tion about what we col­lect can be found in our Pri­vacy Pol­icy, view­able here.

Was my credit card com­pro­mised?

The in­ci­dent oc­curred in late April and early May 2011, when a string of at­tacks oc­curred against other on­line re­tail­ers and busi­nesses.

Only a rel­a­tively small por­tion of users had credit card in­for­ma­tion com­pro­mised. The vast ma­jor­ity of users were not af­fected in this way. Catchofthe­day does not store full credit card data and credit card pay­ments are processed through a third party bank.

At the time, the in­ci­dent was re­ported to rel­e­vant banks and card com­pa­nies, whom en­acted their own fraud pre­ven­tion mea­sures which in­cluded can­celling cards. If you are still con­cerned, we ad­vise you to con­tact your bank.

What is pass­word hash­ing?

Pass­word hash­ing is sim­i­lar to en­cryp­tion, and turns pass­word data into a fixed length code or 'fin­ger­print', so a pass­word can be se­curely stored. This is known as a 'hash'. You can­not log into a web­site using just the hash.

Our pass­words are also 'salted', adding an extra layer of pro­tec­tion, and we adopt in­dus­try stan­dard pro­tec­tion mea­sures.

What is a good pass­word?

A good pass­word con­tains a com­bi­na­tion of ran­domised let­ters (both upper and lower case), num­bers and sym­bols and is over 8 char­ac­ters long.

What can I do to pro­tect my data on­line?

While we do every­thing we can to en­sure your data re­mains se­cure, reg­u­larly chang­ing pass­words is your best de­fence for on­line se­cu­rity com­pro­mises. We ad­vise you change your pass­word at least once every three to four months.

For more in­for­ma­tion on how to pro­tect data on­line visit the Pri­vacy Com­mis­sioner's web­site here.

Related Stores

Catch.com.au
Catch.com.au
Marketplace

Comments

  • +3

    How do I undo post-May 2011 hacking to my accounts using the hacked details?

  • +6

    It might have been a good idea to change your password.. 3 years ago!

  • +2

    lol i just got the same email and had to double-take it was a 2011 incident that theyre just letting us know about

  • +3

    3 years. bulls—t

  • +1

    TL;DR

    In early 2011, Catchofthe­day and other on­line re­tail­ers were tar­geted by an il­le­gal cyber in­tru­sion, which com­pro­mised names, de­liv­ery ad­dresses, email ad­dresses and hashed (en­crypted) pass­words. In some cases credit card data was com­pro­mised. Other web­sites in our Group were not af­fected.


    Let me break this down:

    tar­geted by an il­le­gal cyber in­tru­sion

    How can you be targeted by an intrusion? Stop using the word cyber, just stop it.

    hashed (en­crypted) pass­words

    Hashing is NOT encryption, now tell us how they were hashed.

    In some cases credit card data was com­pro­mised.

    What cases?

    Only a rel­a­tively small por­tion of users had credit card in­for­ma­tion com­pro­mised.

    but then…

    The vast ma­jor­ity of users were not af­fected in this way. Catchofthe­day does not store full credit card data and credit card pay­ments are processed through a third party bank.

    So what liability will COTD face now that our data has been stolen? Almost exactly zero.

  • +6

    It's COTD, three years to deliver an email would be SOP for those assclowns…

  • +3

    Three years is bad form. Customers have vulnerable all this time. How does one close a COTD account?

    • +10

      Give me your password, I'll sort it out for you… :P

      • +12

        Apparently I have already done so, three years ago?

        • just to make sure the password is hashed, why don't you just give the password again. we'll let you know in another 3 years time of the status of your request LMAO

  • +4

    Looks like it takes COTD almost as long to inform customers of this as their shipping takes!

  • It's ridiculous hey.. 3 years ago my credit card may have been compromised and my password probably was and they just letting us know now..

    lucky i never trusted them and used a extra basic throwaway password

    • A throw away password doesn't make your account more secure. A basic one doesn't help either.

      • I'm not overly worried about my cotd account being hacked. I mean in that the password was never used for any other accounts so they could not use their cotd access to access more of my information. most of my standard passwords are 14-16 charater symbol captial shenanigans that give me a headache whenever i dont log into something for a while

        • +2

          Thanks for the hint. That should give me a nice head start…

        • +1

          @donga100:

          i feel like youve earned it if you break it

  • I'd recommend going to http://www.privacy.gov.au and making a complaint to the Australian Privacy Commissioner.

    • Still pretty much a waste of time. In the area of data security, the new Australian Privacy Principles (APPs) do not put a significantly higher obligation on organisations. There is still no specific offence for NOT taking reasonable steps to protect personal info. All that was really needed was an enforceable requirement for companies to notify affected customers as soon as a breach occurred. Social media would then take care of spreading the word about which companies were not taking security seriously! At present, companies might have to notify police and/or banks and/or the OAIC depending on the nature of the breach, but none of those entities will normally disclose the details publicly, thus protecting the company's interests.

      6 years for Rudd/Gillard Labor to "strengthen" privacy protection, and that's what we got. (Of course I'm not holding my breath for the Libs to favour the public over business either. A pox on both their houses:)

      • Breaching the APPs (and the NPPs before it) is the offence (except it isn't an offence because it isn't a criminal offence).

        The OAIC has a very wide range of powers including determining compensation should be paid. These determinations are enforceable in the courts of the businesses do not comply. If many people complain, the OAIC may decide to issue a determination against COTD which, at a minimum will put an official black mark against their name which is better then nothing.

        Now it would have been nice for the data breach laws to have gone through parliament last year before the election. But that didn't happen and who knows what the Libs have planned.

  • +7

    I would also like to suggest as many people as possible contact the people who operate the "World Retail Awards" – Catch has recently been nominited for their Online Retailer of the Year Award.

    Lets contact them and request that their nomination be removed – https://www.worldretailawards.com/

    • that's a joke right?

  • What…the…actual…eff?!

    How do they just let this slip for 3 years?! What a joke!

  • +2

    I remember the recent spate of Apple hijackings, and it was suggested that passwords from compromised websites were being tested on iCloud to check for password reuse. Here's someone who used the same password for their Apple ID and CoTD account:

    Apple forums "My devices have been hacked. What do I do?"
    https://discussions.apple.com/message/25913607#25913969

    kkneufeld - May 27, 2014 6:22 AM
    I know it's unlikely, but the other account I had with the same details as my Apple ID was my Catch of the Day account. I tried to find whether the company that owns Catch of the Day has any international links, but couldn't. I'll keep thinking of others.

    • this is what i was aiming to avoid as opposed to access to my cotd account

  • +2

    How p1ss poor is this? Apparently COTD told the banks about it years ago, and have just decided to tell customers.

    The take away is this: ANY online business who touts 'We Care about Our Customers' is lying. All that ANY online business cares about in these narcissistic days is making money fast and treating customers like cattle. When we all jumped on the big internet bus and thought how great it is to save money and shop from home, we didn't consider that 'service' was only an in-store feature and 'customer care' was thrown in the bin completely.

    What's also evident is that determined hackers have a far higher skill set than most online retailers have in-house or under contract to secure their operations.

    I know that many e-tailers have suffered data penetration but in this case I can assure you that no matter WHAT the bargain, I will NEVER buy from COTD again.

    3 years - suck my dog COTD, you lose (customers).

    And while we are being frank with open eyes, let's call out COTD for what is really is - an online clearance centre for JUNK, failed products, refurbs and EOL's. Now we can realise that a junk merchant will never have high customer care.

    • i wouldnt say ANY i regularly use massdrop and have had to email their support on a few times and they are really nice and informative.. when it was my fault they helped me out alot and when something went wrong on their end they fixed it up quickly and offered reimbursement. I like to think theyd let people know straight away..

      Yeah all their stuff is s!@# I bought a few things from their some computer peripherals some socks all had MAJOR issues to the point of failure either on arrival or within a short period of time I gave up on them after a couple months outraged at their customer service. The only think I can thank them for is leading me here to OZB

  • +9

    Check out this extremely informative (lol) interview with an COTD rep re: the hacking situation:

    http://www.itwire.com/business-it-news/security/64791-catch-…

    • +4

      That interview is full of typical non-answers, as if they were having 2 different conversations.

      How can you start an answer with "that's a good question…" then not properly answer it?

      These idiots should be in politics.

      • +5

        johnno07 58 min ago
        Check out this extremely informative (lol) interview with an COTD rep re: the hacking situation:
        http://www.itwire.com/business-it-news/security/64791-catch-…

        that actually made me feel a little ill reading all that self serving horseshit. i really didnt think my opinion of Con Of The Day could go any lower but once again they have stepped up to the plate and hit another home run…

    • +3

      What a joke of an interview. None of the answers seem to match up with the corresponding questions at all.

      • +3

        None of the answers seem to match up with the corresponding questions at all.

        well that was obviously the whole point, i mean if they actually answered any of the questions they would have been made out to be the dodgy shithole they really are and no one would deal with them any more… this is damage control at its very worst….

  • +1

    I've never liked COTD as a user.

    It's pretty obvious that while they claim "Data se­cu­rity is very im­por­tant to us…" it was way less important than "not scaring users away from our compromised website so we can continue doing business without a temporary drop in numbers" - so they decided to not inform users of the breach for 3 years.

    Three goddam years. They might as well have just not informed anyone given that if people haven't been screwed by this after three years they probably won't be now. Meanwhile how many of their customers went through the trauma of having their property (read money) violated?

    So I suggest voting in the best way possible on the issue of whether you think this is acceptable behavior and don't give them your money anymnore. ;)

  • +1

    I'll be happy to accept a $50 store credit and in exchange I won't mention this news or otherwise bad mouth Catch of the Day to anyone else.

  • Absolutely disgusting.

  • crap of the day!

  • glad i never saved my credit card on both my cotd accounts. pay for all my orders through paypal; not that they accepted amex anyway

  • +4

    Yer I am very unimpressed..

    Guess what. My ANZ credit card got comprised 3 years ago. I never use this card for online purchases except from Catch of the Day as I assumed they were a safe reliable Australian Company.

    Other stuff I just use pay pal or I don't buy.. Simple!!! (I still follow this rule except I pay Australian utilities bills also now)..

    Anyway when the breech happened, I had arguments with ANZ who detected my account got breached and stopped my account, yet did not think I was important to be notified and I had to chase them up about it. Furthermore I had to dispute the transactions and fill in forms that they correctly identified as being fraudulent!

    They explained to me that my computer must have a virus which I argued that its not. I work in IT and I run a clean PC.

    Needless to say I closed my ANZ credit card, and now some 3 years I bet my house I know how my card got comprised!

  • For the record, they're still doing a better job than Spreets. I signed up for them in 2010 with a one-off email address ([email protected]) and unsubscribed within a month or so. In August 2011 I advised them that this address (that only they had) was getting a ton of spam sent to it and it was likely their systems had been compromised.

    They closed the job with no response a month later citing user error, and when I took them up on it they kept the job open until February 2012 when they closed it. At the time they said there couldn't possibly be a breach in the absence of other user reports, and that the spam was therefore a result of my inability to configure email (ignoring that it was only being delivered to an address only they had on file).

    Sure, COTD is admitting a breach a little late, but at least they didn't wilfully ignore evidence of it or try to blame it on end users

  • Good Guy COTD. Let's customers know 3 years later, so they don't panic.

    I have no idea why they would disclose it now. They should have taken to the grave (in terms of PR). At least they still had the conscience I guess. :p

    • i think that was probably there plan at first, take it to teh grave. but im guessing they knew something we dont and maybe someone was going to out them for it (threat from a recently sacked employee possibly?) or something so in yet another round of damage control they were forced to come clean about it now

  • Now that COTD has got the Packer & Murdoch boyz investing in them they can openly admit they have regarded us as Schmucks for years & will continue to do so!

  • +2

    This explains how someone bought a Spanish cruise using my credit card several years ago!
    Thanks for nothing COTD. Will never ever give you another cent.

Login or Join to leave a comment