Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com)

Posted by BeauHD on from the here-we-go-again dept.

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

18 of 37 comments (clear)

  1. webshit gonna webshit by Anonymous Coward · · Score: 2, Insightful

    Hashing passwords isn't new. So why are people still storing plaintext passwords?

    "We just want a webshop" -- Yeah but you're selling expensive luxury goods. That makes addresses of buyers very interesting, don't you think? WHY EVEN KEEP THAT DATA ONLINE?!?

    What were you thinking? "We just want a webshop." Right. You were not thinking, nor were the webmonkeys you hired for your webshit. Congratulations, you done leaked, and now your customers' data is all over the place.

    1. Re:webshit gonna webshit by WaffleMonster · · Score: 1

      Hashing passwords isn't new. So why are people still storing plaintext passwords?

      Hashing passwords doesn't work. That so many are STILL advocating demonstrably worthless course of action scares me more than the revelations of this jewelry site.

      Simple truth is passwords chosen by mortals have insufficient entropy to stand on their own regardless of salts, amplifiers, hash algorithm or wishful thinking (e.g. password policy and training). I don't care if these things make it thousands or millions of times harder in practice. With 1.3 million users the outcome is still comically unacceptable.

      I find it interesting how little encryption actually matters against a wide range of threats especially the persistent variety. Simply put when you use encryption something has got to know those encryption keys. Encryption is nothing more than a shell game where responsibility is continuously transformed and punted. Ultimately responsibility must be accepted. Something has to pay.

      As far as I'm concerned the only thing people should be advocating is for use of isolated authenticators which do NOTHING but perform and manage authentication completely ISOLATED from application servers. It is much more tractable to defend small single purpose systems vs. insane nonsense that passes for general purpose application stacks these days.

      What people are actually doing today that mostly pass for best practices are in fact missing the point and ultimately not much better off than storing passwords in the clear.

      How many of you store private keys in clear text or semantic equivalent on your application servers?

  2. As long as there are no repercussions by gweihir · · Score: 1, Interesting

    ... incompetence and gross negligence on this (admittedly extreme) level will remain common. My suggestion: Immediate payout of $500 to anybody affected, and full cost to anybody that can prove they suffered more damage. If they cannot pay, CEO goes to prison for a few years and has personal fortune impounded. This will lead to companies having insurance for this and insurers taking a critical look at their practices.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:As long as there are no repercussions by Maelwryth · · Score: 1

      That will lead to a couple more paragraphs on their privacy policy and user agreement. That is all.

      Besides can't people sue over breach of contract under the privacy policy and terms of use already? Looking at the agreements it seems a fairly straightforward breach of;

      "Limogés Jewelry collects information that you volunteer in order to process your order, to inform you of special offers, and so that you may receive superior customer service. We do not share your e-mail address with anyone outside of Limogés Jewelry other than when necessary to fulfill your order. On occasion, we may share other information with very carefully selected partners in order to provide you with outstanding special offers, but we will only do so with your consent."

      --
      I reserve the write to mangle english.
    2. Re:As long as there are no repercussions by ShanghaiBill · · Score: 1

      My suggestion: Immediate payout of $500 to anybody affected

      You need to get a grip on reality. A quick Google search says Limoges Jewelry has annual revenue $7.5M. Let's say they have a 10% net profit (unlikely to be that high). That gives them $750k in available cashflow. So for the 1.3M affected, that is 57 cents each. Metered first class mail costs 46 cents, plus 5 cent for the envelope and check, and that leaves 6 cents. If you really think that $500 per person is realistic, you need to explain where the other 99.9% of the money is going to come from.

  3. lot's of apps put DB passwords in plaintext is con by Joe_Dragon · · Score: 1

    lot's of apps put DB passwords in plaintext is config files

  4. Purposely leaked to gov't surveillance by civilwaradvocate · · Score: 1

    This is how companies participate in the mass surveillance program.
    They 'accidentally' leave all of there customer's info in an unsecured location and pretend it was a snafu.
    This has been happening A LOT. And no one is learning anything from all these stories?
    The system is trying to appeal to your good, trusting, forgiving nature. Do not fall for it.

    There is a war being waged against every single one of us by the people sworn to protect us.

  5. As the ad slogan says by 93+Escort+Wagon · · Score: 1

    Now you have 1.3 million friends in the diamond business!

    --
    #DeleteChrome
  6. Make it a crime. by uncqual · · Score: 1

    It should be a crime to store plaintext passwords for users on any web site where the public can create ids. There is no reason for it and it's been decades since it was an unacceptable practice on any computer system.

    Of course, once it's a crime, civil liability follows.

    --
    Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  7. Safe in the cloud... by WoodstockJeff · · Score: 1

    Mariners and pilots have known for a long time what clouds mean - DANGER!

    Where was this file found? In the "safety" of the cloud, along with hundreds of thousands of other sensitive files placed there for "safety".

  8. .HTACCESS File by johnsnails · · Score: 1

    Some good gems in the .htaccess file downloadable from here Of particular interest might be this section to block access to files that end in certain extensions. https://pastebin.com/16Xn1gSs

  9. Re:IANAL by Dutch+Gun · · Score: 1

    Yep, plain-text passwords... damn, the level of incompetence that could lead someone to believing this is acceptable these days must be really something. This is not the year 2000 (the probable age of this system), where you might expect a few less-than-competent people haven't gotten the word on best industry practices. This isn't even storing password hashes with outdated crypto and without salt. If the report as implied is accurate, this is pants-on-head level stupidity. You really can't explain your way out of it.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  10. it's 2018 by sad_ · · Score: 1

    clear text passwords and unprotected databases, we have learned nothing.
    and these things are not even difficult or expensive to implement - there is no excuse here.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  11. Microsoft SQL - Encryption not enabled? by Darkk · · Score: 1

    Obviously storing passwords in plain-text is frowned upon. To protect the database and backups you can enable encryption which is really easy to do in the SQL admin tool. This way everything is protected. I'd still use HASH and SALT for storing passwords.

  12. Still cheaper to leak than secure by nitehawk214 · · Score: 1

    A couple million bribe to the lawyers of the class action suit, vouchers for 20% discount to the ones affected by the leak. Heck, the company might MAKE money on the deal.

    As long as there are no repercussions at all for leaking data, there will be no incentive for securing data.

    Storing unhashed passwords in a database means that there will be a major leak, guaranteed. That should be just as illegal as intentionally giving customer details away for money. There needs to be criminal penalties not just civil ones for this kind of crap.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  13. Didn't know what they didn't know by FeelGood314 · · Score: 1

    The company was incompetent but they likely didn't know they were incompetent. People who are good cost a lot of money and someone for half the wage will likely bang out something that looks great using the latest web platform of the month in half the time the high priced guy will take. A CEO, who doesn't know how to program can't evaluate who is good and who isn't. This was a screw up and combined with the fact that almost everyone reuses passwords potentially a major expense for a few people. Bankrupting this company won't make any difference. Other companies like this won't change their behaviour. There are lots of bigger companies that should know better that do worse. There are very few companies that will even change their behaviour when security flaws are pointed out. (they will patch the very specific flaw but not the behaviour that led to it). The only exception to this rule is companies that know they will be the ones that bare the cost of the security breach. Your password IS NOT valuable to a company like this. It generally costs them nothing if they lose it, so they don't count it as an asset worth securing.

  14. [sic]? it's fine, negligence is a noun by iggymanz · · Score: 1

    In law "very great negligence" is a lesser used but equivalent term to "gross negligence".

    Research before [sic]ing.

  15. Re:IANAL by OrangeTide · · Score: 1

    executives control company processes. They hire the people that hire the people that look after the people who make bad design choices.

    What is key, is if someone at the top knows of an issue and at that point chooses not to correct it.

    What you likely can't do is punish an low-level individual contributor for being incompetent, beyond the obvious of firing them. The responsibility lands on a company to audit their architecture, and correct mistakes. If you have no process in place to check that your security decisions are up to industry standards, then you've good a problem that is bigger than some low-level programmer.

    --
    “Common sense is not so common.” — Voltaire