Oooooh! Fashion! Yes, 1m-plus accounts on clothes, trinket websites exposed by lax security

Fingered e-commerce biz reckons just 'several thousand'

Naff computer security at an e-commerce provider potentially exposed the details of more than a million unique accounts on British clothing and accessory shopping websites, infosec experts have confirmed.

Sub-optimal security at Fashion Nexus meant a white-hat hacker, Taylor Ralston, was able to access databases containing personal details of customers of various online fashion stores that used the e-commerce outfit's technology.

And if he was able to spot the vulnerable data store, potentially anyone could have, too. The databases have since been hidden from sight, we're told.

The exposed data included names, email addresses, IP addresses, physical addresses, phone numbers, password hashes (MD5 and SHA-1, both salted) and dates of birth. Product orders also featured in the mix, mapped to customers and including addresses. There's no evidence payment card information was at risk.

El Reg learned of the cockup via infosec veteran Graham Cluley, and confirmed details of what had been left open to access with Troy Hunt, the security researcher behind the haveibeenpwned.com notification website.

The Register approached White Room Solutions, the sister firm of Fashion Nexus, for comment. The company disputed the enormity of the blunder, and initially would not confirm which brands were affected before relenting and issuing this notice on Tuesday:

We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. We will present a quantitive breakdown of those records in due course, however no payment information of any kind is recorded by Fashion Nexus Ltd or our clients, and therefore not compromised.

We would suggest that people change their passwords if they've been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle Attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk).

Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server.

The breach was quickly identified and the vulnerability removed. The ICO has been informed...

The "several thousand" figure cited in the Fashion Nexus statement rather understates matters. Troy Hunt has seen the data, passed to him by the white hat, and has confirmed there are almost 1.3 million unique records in total. Of these 280,000 are perhaps test accounts of some sort. However, that still leaves close to a million unique email addresses and records that were at risk of theft.

"This breach was reported to our clients and the ICO [UK's Information Commissioner's Office] as soon as we found out and we are working with them to establish [the] fact[s] and, if required (and once we know the full facts), for our clients (as Data Controller) to contact those affected," a representative of White Room Solutions told El Reg. ®

Bootnote

In the case of DLSB, aka Dirty Little Style Bitch – another Fashion Nexus customer mentioned in Cluley's blog – we understand its database was not compromised but customer info did nonetheless leak due to SMTP config information left there by White Room.




Biting the hand that feeds IT © 1998–2018