Vudu Resets User Passwords After Burglary

New submitter Chewbacon writes "If you can't hack it, smash and grab it. Video streaming service Vudu has emailed customers informing them of the theft of hard drives containing customer information. CNET reports the information on the stolen drives included: names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. Vudu's Chief Technology Officer Prasanna Ganesan said while no complete credit card numbers were stored on the hard drives and expressed confidence in password encryption, he felt the need to be proactive with the password reset and encouraged users to be proactive as well should the encrypted passwords become compromised. Vudu fails to mention, perhaps in a downplaying move, the last 4 digits of a credit card and much of the other information stolen is often enough to access an account through virtually any company's phone support."

you data isn't safe

[Nyder]

when the thieves come in thru the window. (No, not Windows OS, but the actual window.)

Re:you data isn't safe

[Big+Hairy+Ian]

Physical security is just as important as online security you can get just as much info out of a PC in a skip as you can online if it wasn't wiped correctly for instance.

Re:you data isn't safe

If they steal our drives they're none the wiser. Use the OS-provided disk encryption people, the boot drive doesn't necessarily need to be encrypted but databases and log files should be.

To successfully "steal" our data this way the thieves need to arrive with a portable UPS, isolate the right machines, swap them over onto the UPS and then steal them still running, whereupon they can probably use some existing exploit to get past the login screens etc. on console. That's a big ask, considering they have to do all this against the clock because there's a silent alarm.

We have the facility locked down. Who picks up the trash? The sysadmins do. No cleaners, cleaners are too easily compromised, you hire Bob, he sends Jerry instead, next thing you know some guy with no paperwork is in the building and nobody realises it's a problem. So no cleaners. No unescorted visitors. No contractors, no "guy from the phone company" nothing like that.

Actually a bigger risk is just bribing or threatening a sysadmin. Get a sysadmin, put a knife to his throat and say "Copy all the data, or else we kill your kids, understand?" or maybe "Here's $50 000 in cash. There's another $50 000 when you give us a USB stick with the data on it". We make sure we hire people with no debt problems, that we pay them well and know we'll take care of them if anything happens, but we can't be 100% sure nobody will get to them. We emphasise that they shouldn't explain what they do, shouldn't be too explicit about their role, what they access to, but obviously people aren't always as careful as you'd like.

Re:cheap bastards

[cbiltcliffe]

Maybe they had a night watchman, and he's the guy that stole the drives.

Re:cheap bastards

[ThatsMyNick]

Cheap bastards. Having a night watchman to watch this watchman would have prevented that.

Also, you should have gone for - Who watches the watchmen. How could you miss it.

Re:cheap bastards

[lxs]

Who watches the watchmen.

I know! That movie is like three hours long.

Who steals HDDs?

[fuzzyfuzzyfungus]

Does used commodity x86 server gear(with hot serial numbers, no less) actually have enough resale value somewhere that it would be reasonable to imagine that the thieves might actually have been after the hardware, or would they have had to have other motives(whether data access, or something else they thought was in the building) to make taking the risk worth it?

I can see the case for smash-n-grabs on consumer gear, especially laptops and iDevices and such, where gullible and/or morally flexible people do seem willing to buy dubiously sourced goods for a chance at cheap consumer electronics; but the phrase 'used hard drives from ebay' is the sort of thing that I'd only ever use in a server context if I were sneaking up behind an admin and trying to make him jump and turn a curious shade of purple...

Is the used market more robust than I give it credit for(or the scrap value higher)? Or would grabbing the hard drives be a fairly clear sign that you are after what is on them?

Re:Who steals HDDs?

[jjjacer]

with the price of new drives not falling, maybe the used market has gotten bigger. i know back around the year 2000 at the super computer sales i swear i saw a bin of drives that got ripped out of stolen computers (looks like they were well used and abused and the seller looked like a drug dealer).

Or maybe people dont want to pay for new drives and are resorting to just stealing from places that have a large supply.

Re:Who steals HDDs?

[cdrudge]

Where does it say what type of drive was stolen or what it was in? Backups of a production database on a developers' laptop hard drives for instance would still fit the story if laptops were taken. Or if they were on external drives but used for the same purpose.

Even if they were "enterprise drives" in a server, NAS, SAN, etc there is some used market for them. Probably not the same market that wanted them new, but they'll still sell for the right price.

Re:Who steals HDDs?

[PlusFiveTroll]

If a thief thought he was getting a storage container full of SSDs, that could be enough motivation. Even used they go for big bucks, especially the enterprise ones.

My step-mom had her checking account put on hold once after a spurious transaction showed up on it. Come to find out a computer system from the electronic check processing company that Walmart uses was stolen by an employee and sold to some nefarious group.

Re:Who steals HDDs?

[Orestesx]

Why bother going through all that work when a waitress can just write down the cc number when she swipes your card.

Security through obscurity: don't clean up

[captainpanic]

Security through obscurity: My data is safe, even if the thieves break in. No way they can find anything in the mess that I call home. :)

Last 4 digits = bullshit

Wish I knew which fucktard started that. The first 4-6 digits identify your card issuer, so if I knew you had a discover card (6011) and the last 4 digits, it would halve the search space for your card and LUHN will take care of a huge chunk of the rest. I once freaked out a coworker by reading her credit card number aloud as she typed it from across the room - she had the same university CC I had, the first 8 digits were the same. Look in your wallet and tell me how many cards you have from the same bank? If you were given back the first 4 digits of the card # on your receipt, you'd know exactly which card you used. Nobody else needs to know.

Re:cheap bastards

[Kardos]

Sounds like you need to increase your maximum recursion depth. With a limit that low, why even support recursion?

Re:cheap bastards

[Qzukk]

Maybe they cut a new back door while the guard was watching the front one.

Re:vudu customer

[rossdee]

You can cancel that credit card and get a new cc number, and even change your email address. However changing your physical address is a bit more expensive, and changing your date of birth is not possible unless you have a time machine.

A secret you have to tell everyone

[jbmartin6]

It strikes me as a little silly to think that the type of personal information on those drives is somehow going to stay a secret. You have to give it to dozens of organizations: banks, employers, stores, and so on. So using this information as a security identifier is a very flawed approach. We seem to accept this since the level of fraud is tolerable. Plus the alternatives such as smart cards are extremely expensive to implement across all of society.

Re:vudu customer

Why would these sites need your date of birth ? Might as well give a random one.

hard drive encryption, anyone

[Lluc]

How much do you bet this data was copied onto someone's laptop, sitting on a desk, rather than a thief breaking into a datacenter and pulling an entire server?

Semi-security through obfsucation

[DewDude]

Yes, I. Use VUDU...solely because every BD I get has a redemption code for Vudu and UltraViolet. I'm not worried; they essentially got data on my that's accessable...last 4 of the CC number? That's been out there since. Everyone else merely just gets hacked. I don't use the same identity details on important things...you couldn't access my back with jus VUDU info...you need several pieces of info for that. At lease they're doing something; most places just say you're on your own and we're sorry...VUDU gave everyone affected a year of AllClearID identy protection.

Re:vudu customer

[operagost]

Federal law. Since it's an online service, it would require you to affirm your age is greater than 13 in the USA. They might also have requirements, due to content or similar requirements in other countries.

Re:Proactive proactivity

I see it twice in TFA. Not reading TFA and complaining about TFS? Way to slashdot.

Re:Vudu?

[nevermore94]

Yup, I use and love VuDu. I currently have 38 movies in my collection on their service. Why, because they are the best online streaming service that supports Android tablets and they also offer the highest resolution streaming in their HDX format for my HTPC and laptop. You can also download local copies for viewing offline on Android tablets. I got much of my collection from redeeming UltraViolet codes from BluRays and also got some as free promotions. WalMart has also partnered with them to put any of your current BluRays or DVDs into your VuDu collection for only $2 a piece, $5 if upgrading a DVD to HDX.