Just received an email from them.. Standard COTD
Full email
Data security is very important to us, which is why we need to let you know about some developments affecting member accounts created before 7 May 2011.
If you have not changed your password on Catchoftheday.com.au since 7 May 2011, we advise you to change your password. If you have changed your password since that time, no further action on our website is necessary, but we nevertheless encourage our users to regularly change their passwords.
It is always good practice to have unique passwords for every website that you use. If you used the same password for Catchoftheday.com.au as other websites in 2011 we recommend that you change all of those passwords as well.
In early 2011, Catchoftheday and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected.
At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.
We have also since informed the Australian Privacy Commissioner.
With technological advances it means there is an increasing risk that those hashed passwords may become compromised, which is why we are asking all those users with accounts created before 7 May 2011 to change their passwords.
Our security networks are continually evolving and have undergone major upgrades to keep in line with industry standards and best practices. We have better technology, better procedures and a bigger team dedicated to ensuring your experience with us is safe and secure. We regularly undertake external reviews and audits to ensure that our sites and your data are as secure as possible.
We sincerely apologise to our loyal customers that these events occurred and can assure you that we have dedicated significant resources to security and privacy to avoid these events in future.
If you need more information, please read below.
How do I change my password?
You can change your password by logging into your account, clicking 'My Account' in the right hand corner, and then the 'Password' tab.
How do I know if I was affected?
Only accounts created before 7 May 2011 are affected and only those users are receiving this email. If your account was created after that date, you do not have to do anything. However, we recommend all users regularly change their passwords.
What information do you currently have about me?
We generally only store what we need to complete a transaction. We require your name and delivery address details so we can send items to you and your email so we can contact you.
We do not store a full credit card number and payments are processed through a third party bank.
More information about what we collect can be found in our Privacy Policy, viewable here.
Was my credit card compromised?
The incident occurred in late April and early May 2011, when a string of attacks occurred against other online retailers and businesses.
Only a relatively small portion of users had credit card information compromised. The vast majority of users were not affected in this way. Catchoftheday does not store full credit card data and credit card payments are processed through a third party bank.
At the time, the incident was reported to relevant banks and card companies, whom enacted their own fraud prevention measures which included cancelling cards. If you are still concerned, we advise you to contact your bank.
What is password hashing?
Password hashing is similar to encryption, and turns password data into a fixed length code or 'fingerprint', so a password can be securely stored. This is known as a 'hash'. You cannot log into a website using just the hash.
Our passwords are also 'salted', adding an extra layer of protection, and we adopt industry standard protection measures.
What is a good password?
A good password contains a combination of randomised letters (both upper and lower case), numbers and symbols and is over 8 characters long.
What can I do to protect my data online?
While we do everything we can to ensure your data remains secure, regularly changing passwords is your best defence for online security compromises. We advise you change your password at least once every three to four months.
For more information on how to protect data online visit the Privacy Commissioner's website here.
How do I undo post-May 2011 hacking to my accounts using the hacked details?