UK website data insecurity worries: Users in bits over car break-up emails

Don't break my car... my achy brake-y car.. or is that do?

Heart falls into crack. Photo by Shutterstock

Updated Popular car parts website is dangerously insecure, a veteran UK security consultant warns.

The warning from Paul Moore comes in the midst of ongoing social media complaints (example here) by customers who say they have received phishing mails containing personal addresses and phone numbers. One of the users said the phishing email had been sent to an address they had provided only to PartsGateway. Dodgy emails appeared in the guise of legitimate-looking order confirmations.

El Reg learned of the issue as the result of a tip-off from a concerned reader. The free-to-consumers web-based service had yet to respond to repeated requests for comment at the time of publication. We'll update if we hear more.

We did note a tweet from Parts Gateway's Twitter account to one user that claimed its tech team was investigating the spam, however:

Users faced with a similar lack of feedback have flagged up concerns with data privacy watchdogs at the ICO.

Paul Moore said he has identified a number of security shortcomings with the site, including a reliance on plain-text passwords and a lack of TLS encryption.

"With an 11-year-old version of Apache, a seven-year-old version of PHP, no security headers whatsoever, weak TLS and no meaningful authentication, it was only a matter of time before Partsgateway became a statistic," Moore told El Reg.

PartsGateway says it allows UK motorists to hunt down the best deals on genuine new or used car and van parts. Customers can compare new and used car part prices from more than 180 car-breakers at no cost to themselves. ®

Updated at 10.03 GMT on Friday 17 February to add: Still no word from PartsGateway to us at El Reg, but we've been forwarded copies of its emails to customers admitting a breach and advising them to change their email addresses.

"Unfortunately we were the victims of an attack where the perpetrators were able to gain access via a V Bulletin work forum to access the user database," PartsGateway told its customers. "We must stress no financial records are stored."

Biting the hand that feeds IT © 1998–2018