Hackers claim to have grabbed the personal details of almost 20,000 bods who shopped online at Superdrug, the British cosmetics retailer has confirmed. Payment card details are not said to be among the haul.
The biz has emailed customers, El Reg can confirm, advising them of the “possible disclosure of your personal data, but not including your payment card information.”
“On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” the note from boss Peter Macnab stated.
“There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website."
The cyber villains alleged they had “obtained information on approximately 20,000 customers but we have only seen 386,” the chain added, leading us to believe this is a classic credential-stuffing stunt by the crooks. That's when scumbags take passwords and usernames leaked from one website and use them to log into accounts on other sites, exploiting the fact people reuse their passphrases across various online services and profiles.
Customers’ names, postal addresses and “in some instances” date of birth, phone number and points balances “may have been accessed”, the email stated. The retailer advised customers to update their Superdrug.com password “now and on an on-going, frequent basis.”
Superdrug has contacted the cops and Action Fraud about the incident, and “will be offering them all the information they need for their investigation.” It is believed the miscreants contacted the retailer in hope of extorting money from the business in exchange for their silence.
A spokesperson for Superdrug was not available for immediate comment. ®