STE WILLIAMS

A breach at an e-commerce provider exposed the details of more than a million unique accounts on British clothing and accessories websites.

Sub-optimal security at Fashion Nexus meant that a white-hat hacker, Taylor Ralston, was able to access databases containing personal details of customers of various online clothing stores.

The data included names, email addresses, IP addresses, physical addresses, phone numbers, password hashes (MD5 and SHA-1, both salted) and dates of birth. Product orders also featured in the mix, mapped to customers and including addresses. There’s no evidence that payment card information was exposed.

El Reg learned of the breach via infosec veteran Graham Cluley’s post and confirmed details of what had been exposed with Troy Hunt, the security researcher behind the haveibeenpwned.com breach notification website.

The Register approached White Room Solutions, the sister firm of Fashion Nexus, for comment. The firm disputed the size of the breach and initially would not confirm which brands were affected before relenting and publishing a breach notice on Tuesday.

We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. We will present a quantitive breakdown of those records in due course, however no payment information of any kind is recorded by Fashion Nexus Ltd or our clients, and therefore not compromised.

We would suggest that people change their passwords if they’ve been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle Attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk).

Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server.

The breach was quickly identified and the vulnerability removed. The ICO has been informed.

Fashion Nexus take our clients and their customer’s data security extremely seriously and we apologise that we have come up short in this instance.

The “several thousand” figure cited in the Fashion Nexus statement rather understates matters. Troy Hunt has the data, passed to him by the white hat, and has confirmed there are almost 1.3 million unique records in total. Of these 280,000 maybe test accounts of some sort, but that still leaves close to a million unique email addresses/records in the breach.

“This breach was reported to our clients and the ICO as soon as we found out and we are working with them to establish [the] fact[s] and, if required (and once we know the full facts), for our clients (as Data Controller) to contact those affected,” a representative of White Room Solutions told El Reg.

Bootnote

In the case of DLSB (Dirty Little Style Bitch) – another Fashion Nexus customer mentioned in Graham Cluley’s blog – we understand its database was not compromised but customer info did nonetheless leak due to SMTP config information left there by White Room.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/fashion_nexus_breach/