Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com)

Posted by BeauHD on from the here-we-go-again dept.

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

37 comments

  1. webshit gonna webshit by Anonymous Coward · · Score: 2, Insightful

    Hashing passwords isn't new. So why are people still storing plaintext passwords?

    "We just want a webshop" -- Yeah but you're selling expensive luxury goods. That makes addresses of buyers very interesting, don't you think? WHY EVEN KEEP THAT DATA ONLINE?!?

    What were you thinking? "We just want a webshop." Right. You were not thinking, nor were the webmonkeys you hired for your webshit. Congratulations, you done leaked, and now your customers' data is all over the place.

    1. Re:webshit gonna webshit by Anonymous Coward · · Score: 0

      Who cares, its a jewlery shop. The list is mostly customers with more money then sense. The'll be easy pickins for hackers and have the resources to clean up the mess. Fuck em

    2. Re:webshit gonna webshit by Anonymous Coward · · Score: 0

      Because they are fucking idiots.

      I have had a client once insist on having recoverable passwords for their site. I explained to them that the reason users needed to reset passwords is because we store them as hashes in the database for security reasons. They didn't care and demanded that the passwords be recoverable. Since they were paying my bills, I did as they asked. I have no idea if they had security problems after I finished that project, but I wouldn't doubt it.

    3. Re:webshit gonna webshit by Anonymous Coward · · Score: 0

      Storing passwords in plaintext needs to carry a minimum and mandatory $5000 fine per infraction. Excessive? Absolutely not. The value of a password has no upper limit.

    4. Re:webshit gonna webshit by Anonymous Coward · · Score: 0

      You need a online profile to buy jew elry wtf for don't people like looking at that kind of stuff before they buy it.

    5. Re:webshit gonna webshit by WaffleMonster · · Score: 1

      Hashing passwords isn't new. So why are people still storing plaintext passwords?

      Hashing passwords doesn't work. That so many are STILL advocating demonstrably worthless course of action scares me more than the revelations of this jewelry site.

      Simple truth is passwords chosen by mortals have insufficient entropy to stand on their own regardless of salts, amplifiers, hash algorithm or wishful thinking (e.g. password policy and training). I don't care if these things make it thousands or millions of times harder in practice. With 1.3 million users the outcome is still comically unacceptable.

      I find it interesting how little encryption actually matters against a wide range of threats especially the persistent variety. Simply put when you use encryption something has got to know those encryption keys. Encryption is nothing more than a shell game where responsibility is continuously transformed and punted. Ultimately responsibility must be accepted. Something has to pay.

      As far as I'm concerned the only thing people should be advocating is for use of isolated authenticators which do NOTHING but perform and manage authentication completely ISOLATED from application servers. It is much more tractable to defend small single purpose systems vs. insane nonsense that passes for general purpose application stacks these days.

      What people are actually doing today that mostly pass for best practices are in fact missing the point and ultimately not much better off than storing passwords in the clear.

      How many of you store private keys in clear text or semantic equivalent on your application servers?

    6. Re:webshit gonna webshit by Anonymous Coward · · Score: 0

      I'm all for this so long as the fine is applied to the marketing/sales fucktard that told the developer that all passwords must be readable so that they can tell the customer what their password is when they forget it. Nevermind there's been the capability of allowing the customer to reset the password on their own for decades now. No no, readable passwords or we might lose a sale because someone can't remember their birthday or name of their first pet or the word "password." And don't even get me started on trying to implement password restrictions (must contain upper/lower case, numbers and symbols) because that shit doesn't allow the user to come up with a password they can remember.

      ARGH!

    7. Re:webshit gonna webshit by Anonymous Coward · · Score: 0

      Hashing passwords isn't new. So why are people still storing plaintext passwords?

      "We just want a webshop" -- Yeah but you're selling expensive luxury goods. That makes addresses of buyers very interesting, don't you think? WHY EVEN KEEP THAT DATA ONLINE?!?

      What were you thinking? "We just want a webshop." Right. You were not thinking, nor were the webmonkeys you hired for your webshit. Congratulations, you done leaked, and now your customers' data is all over the place.

      It's not exactly hard to figure out where rich people live just based on their real-estate values. Get a freaking brain. This is all worthless information, except the passwords which could be used to compromise other websites.

  2. IANAL by OrangeTide · · Score: 0

    But the phrase gross criminal negligence come to mind.

    In an ideal world, wanton disregard of decades old security standards should land executives with some fines and possible jail time. For a criminal case, some kind of applicable statute would have to be dug up.

    For a civil case, that's way easier. You have to show that it is likely (really a >50% chance) that their actions, negligence or policties lead to some damages. Nobody goes to jail. But some lawyers can get rich settling a million dollar class action suit where everyone that had their identity stolen gets a check for $5 or something equally ridiculous.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:IANAL by Dutch+Gun · · Score: 1

      Yep, plain-text passwords... damn, the level of incompetence that could lead someone to believing this is acceptable these days must be really something. This is not the year 2000 (the probable age of this system), where you might expect a few less-than-competent people haven't gotten the word on best industry practices. This isn't even storing password hashes with outdated crypto and without salt. If the report as implied is accurate, this is pants-on-head level stupidity. You really can't explain your way out of it.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    2. Re:IANAL by Anonymous Coward · · Score: 0

      should land executives with some fines and possible jail time.

      Do you really think an "executive" made the decision to dump the DB to an unencrypted file? If anyone deserves to go to jail, it should be the employee who created the file, not the CEO who failed to micromanage.

    3. Re:IANAL by OrangeTide · · Score: 1

      executives control company processes. They hire the people that hire the people that look after the people who make bad design choices.

      What is key, is if someone at the top knows of an issue and at that point chooses not to correct it.

      What you likely can't do is punish an low-level individual contributor for being incompetent, beyond the obvious of firing them. The responsibility lands on a company to audit their architecture, and correct mistakes. If you have no process in place to check that your security decisions are up to industry standards, then you've good a problem that is bigger than some low-level programmer.

      --
      “Common sense is not so common.” — Voltaire
  3. As long as there are no repercussions by gweihir · · Score: 1, Interesting

    ... incompetence and gross negligence on this (admittedly extreme) level will remain common. My suggestion: Immediate payout of $500 to anybody affected, and full cost to anybody that can prove they suffered more damage. If they cannot pay, CEO goes to prison for a few years and has personal fortune impounded. This will lead to companies having insurance for this and insurers taking a critical look at their practices.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:As long as there are no repercussions by Maelwryth · · Score: 1

      That will lead to a couple more paragraphs on their privacy policy and user agreement. That is all.

      Besides can't people sue over breach of contract under the privacy policy and terms of use already? Looking at the agreements it seems a fairly straightforward breach of;

      "Limogés Jewelry collects information that you volunteer in order to process your order, to inform you of special offers, and so that you may receive superior customer service. We do not share your e-mail address with anyone outside of Limogés Jewelry other than when necessary to fulfill your order. On occasion, we may share other information with very carefully selected partners in order to provide you with outstanding special offers, but we will only do so with your consent."

      --
      I reserve the write to mangle english.
    2. Re:As long as there are no repercussions by ShanghaiBill · · Score: 1

      My suggestion: Immediate payout of $500 to anybody affected

      You need to get a grip on reality. A quick Google search says Limoges Jewelry has annual revenue $7.5M. Let's say they have a 10% net profit (unlikely to be that high). That gives them $750k in available cashflow. So for the 1.3M affected, that is 57 cents each. Metered first class mail costs 46 cents, plus 5 cent for the envelope and check, and that leaves 6 cents. If you really think that $500 per person is realistic, you need to explain where the other 99.9% of the money is going to come from.

    3. Re: As long as there are no repercussions by Anonymous Coward · · Score: 0

      Liquidating assets would be my first guess.

  4. Well, there is a simple solution. by Anonymous Coward · · Score: 0

    Just use ******** as your password like I do and nobody will ever guess it.

  5. lot's of apps put DB passwords in plaintext is con by Joe_Dragon · · Score: 1

    lot's of apps put DB passwords in plaintext is config files

  6. A modest proposal by Anonymous Coward · · Score: 0

    Can we please create two internets in parallel?

    One for the professional programmer folk that use battle-tested tools and design/testing methodologies on secure operating systems.

    And one for the codecampers, outsourcers, and MSDN certified (or whatever Microsoft calls it) bros that are just monkey-hammering their keyboards with copypasta from Stackoverflow and spewing their nasty insecure goo on the rest of us?

    Thanks.

    1. Re: A modest proposal by Anonymous Coward · · Score: 0

      Done. The version for keyboard monkeys is the Internet. The secure version is the overlay network of VPNs between me and select guests.

  7. Purposely leaked to gov't surveillance by civilwaradvocate · · Score: 1

    This is how companies participate in the mass surveillance program.
    They 'accidentally' leave all of there customer's info in an unsecured location and pretend it was a snafu.
    This has been happening A LOT. And no one is learning anything from all these stories?
    The system is trying to appeal to your good, trusting, forgiving nature. Do not fall for it.

    There is a war being waged against every single one of us by the people sworn to protect us.

  8. As the ad slogan says by 93+Escort+Wagon · · Score: 1

    Now you have 1.3 million friends in the diamond business!

    --
    #DeleteChrome
  9. Make it a crime. by uncqual · · Score: 1

    It should be a crime to store plaintext passwords for users on any web site where the public can create ids. There is no reason for it and it's been decades since it was an unacceptable practice on any computer system.

    Of course, once it's a crime, civil liability follows.

    --
    Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  10. Safe in the cloud... by WoodstockJeff · · Score: 1

    Mariners and pilots have known for a long time what clouds mean - DANGER!

    Where was this file found? In the "safety" of the cloud, along with hundreds of thousands of other sensitive files placed there for "safety".

  11. .HTACCESS File by johnsnails · · Score: 1

    Some good gems in the .htaccess file downloadable from here Of particular interest might be this section to block access to files that end in certain extensions. https://pastebin.com/16Xn1gSs

  12. htaccess file to stop some of these silly mistakes by johnsnails · · Score: 0

    Some good gems in the .htaccess file downloadable from here Of particular interest might be this section to block access to files that end in certain extensions.
    https://pastebin.com/16Xn1gSs

  13. htaccess by johnsnails · · Score: 0

    Some good gems in the .htaccess file downloadable from here Of particular interest might be this section to block access to files that end in certain extensions.
    https://pastebin.com/16Xn1gSs

  14. Nice file name by Anonymous Coward · · Score: 0

    I backup all my backups to backup.bak

  15. Edit by Anonymous Coward · · Score: 0

    "The Germany security firm"
    You probably want to say
    "The German security firm" or "The Germany based security firm"

  16. They should of by Anonymous Coward · · Score: 0

    They should of went to Jerads

  17. it's 2018 by sad_ · · Score: 1

    clear text passwords and unprotected databases, we have learned nothing.
    and these things are not even difficult or expensive to implement - there is no excuse here.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  18. Russians did it... by Anonymous Coward · · Score: 0

    Yuh uh... this is the work of Russian masterminds! We're under attack! Trump was elected by Putin! Yarrr!!!

  19. Microsoft SQL - Encryption not enabled? by Darkk · · Score: 1

    Obviously storing passwords in plain-text is frowned upon. To protect the database and backups you can enable encryption which is really easy to do in the SQL admin tool. This way everything is protected. I'd still use HASH and SALT for storing passwords.

  20. Not a leak says the Privacy Policy. by Anonymous Coward · · Score: 0

    "We do not share your e-mail address with anyone outside of Limogés Jewelry other than when necessary to fulfill your order."
    Don't worry about it bro it was just to fulfill your order.

  21. Still cheaper to leak than secure by nitehawk214 · · Score: 1

    A couple million bribe to the lawyers of the class action suit, vouchers for 20% discount to the ones affected by the leak. Heck, the company might MAKE money on the deal.

    As long as there are no repercussions at all for leaking data, there will be no incentive for securing data.

    Storing unhashed passwords in a database means that there will be a major leak, guaranteed. That should be just as illegal as intentionally giving customer details away for money. There needs to be criminal penalties not just civil ones for this kind of crap.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  22. Didn't know what they didn't know by FeelGood314 · · Score: 1

    The company was incompetent but they likely didn't know they were incompetent. People who are good cost a lot of money and someone for half the wage will likely bang out something that looks great using the latest web platform of the month in half the time the high priced guy will take. A CEO, who doesn't know how to program can't evaluate who is good and who isn't. This was a screw up and combined with the fact that almost everyone reuses passwords potentially a major expense for a few people. Bankrupting this company won't make any difference. Other companies like this won't change their behaviour. There are lots of bigger companies that should know better that do worse. There are very few companies that will even change their behaviour when security flaws are pointed out. (they will patch the very specific flaw but not the behaviour that led to it). The only exception to this rule is companies that know they will be the ones that bare the cost of the security breach. Your password IS NOT valuable to a company like this. It generally costs them nothing if they lose it, so they don't count it as an asset worth securing.

  23. [sic]? it's fine, negligence is a noun by iggymanz · · Score: 1

    In law "very great negligence" is a lesser used but equivalent term to "gross negligence".

    Research before [sic]ing.