back to article Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug

Hackers claim to have grabbed the personal details of almost 20,000 bods who shopped online at Superdrug, the British cosmetics retailer has confirmed. Payment card details are not said to be among the haul. The biz has emailed customers, El Reg can confirm, advising them of the “possible disclosure of your personal data, but …

  1. Anonymous Coward
    Anonymous Coward

    And as always

    Absence of evidence isn't evidence of absence.

    Not that I've ever used Superdrug, but now I know this I will never give them my custom.

    I don't care if it was a third party that leaked, the data was entrusted to them.

    I hope GDPR can have some impact on their business.

    1. Tomato Krill

      Re: And as always

      I don't even have your ice cream machine, why are you demanding it back?

      Yay commenting on words I haven't read!

      1. Anonymous Coward
        Anonymous Coward

        Re: And as always

        Fair cop, I didn't process the article fully before spouting off in the comments section.

        Downvotes gracefully accepted.

    2. VinceH

      Re: And as always

      "I don't care if it was a third party that leaked, the data was entrusted to them."

      Umm.

      So if you use the same log-in credentials on Site A and Site B, and I manage to steal them from Site A and log-in to Site B with them, it's somehow Site B's fault?

      You've just left a spare key somewhere, which I've got my hands on and used, and then you've blamed the house for allowing its front door to be opened with that spare key.

      1. Anonymous Coward
        Anonymous Coward

        it's somehow Site B's fault

        No, it'd be site A's fault and the users fault.

        Well unless Site B allowed 300,000 user login attempts from the same IP address in a very short space of time, that should raise a few eyebrows shouldn't it??

      2. Anonymous Coward
        Anonymous Coward

        Re: And as always

        Exactly what VinceH said.

        It wouldn't be a stretch to assume that 387 people out of the 10 million from Currys/PC World are using the same password would it?

        End result, lets ask everyone to change their password just to be safe, are we sure the site can handle the traffic? yes excellent. *click*

  2. Anonymous Coward
    Anonymous Coward

    Bizarre, It's funny how these "hackers" never ever get payment details. Then again could it be that firms never own up when they do?

    1. Pen-y-gors

      Financial details?

      Or it could be that they don't actually have them. A lot of businesses use payment processors to handle the sensitive financial bit. They pass the customer over to Paypal, Worldpay or whoever, who handle everything, and send back a simple 'The computer says Yes' (or No).

      Although why do they hold date of birth?

      1. wolfetone Silver badge

        Re: Financial details?

        Fairly sure, as part of PCI-DSS, retailers aren't allowed to hold the payment details of their customers. So, in some ways, Superdrug should be commended for actually sticking to the PCI-DSS compliance and not just ticking a box.

      2. katrinab Silver badge

        Re: Financial details?

        The same reason that they ask if you are a man or a woman before they will sell you anything. They believe that having this information will enable them to send more relevant adverts to you.

      3. Jason Bloomberg Silver badge

        Re: Financial details?

        Although why do they hold date of birth?

        Probably so their marketing department can avoid promoting sanitary products to the over-sixties, incontinence pads to the under-thirties, tampons to men, and beard-trimmers to women.

        Because when they make those mistakes there's a whole load of people waiting to criticise and ask why they didn't just store date of birth and other details to avoid such things.

        Us Brits have always been able to find something to moan about. These days it seems looking for something to moan about is a hobby in its own right for many; it's damned if you do and damned if you don't.

        1. wolfetone Silver badge
          Coat

          Re: Financial details?

          "...tampons to men, and beard-trimmers to women."

          You can tell all of that just from a date of birth?!

          1. Anonymous Coward
            Anonymous Coward

            Re: Financial details?

            Why do Italian men have moustaches?

            Because they want to look like their mum.

          2. Anonymous Coward
            Anonymous Coward

            Re: Financial details?

            "You can tell all of that just from a date of birth?!"

            Through the star-sign, obviously.

      4. bpfh

        Re: Financial details?

        So they can send you a happy birthday mail and a 5% off voucher (valid for any purchase in the next 26 hours over 150 quid or somthing like that...)

    2. Anonymous Coward
      Anonymous Coward

      Well clearly there are a lot of really altruistic hacks going on. Obviously, some nation-states are trying very hard to blacken their own name, since they have nothing better to do.

      Oddly, it's never Norway, in that case.

      It's part of the "pretending to be a moron" strategy in Sun Tzu's The Art of War:-

      "Never let the enemy interrupt you while you are discrediting yourself exactly according to their recently stated wishes. If they're doing it and pretending to be you, play along with it. The Gods demand it!

      Never obstruct the men and money the enemy expends to discredit you. They invite total global destruction, but one of the two functionally identical ruling clans may win a regional election because of it. This is a great prize for the enlightened.

      You must weaken yourself and invite invasion, to which the only possible response is to erase both your nation and theirs simultaneously. They must not be allowed to understand as their forbears did that this will inevitably happen, or they will stop attacking you, and the wonderful surprise will be spoiled.

      In this way you can distract everyone enough, so you can finally finish your breakfast in peace, and burp heartily".

  3. Mark Exclamation

    "We take security very seriously......" etc etc. There. I've said it for them, so they've no need to parrot it.

  4. Anonymous Coward
    Anonymous Coward

    Perhaps 386 isn't the number of records. Instead, records were taken from their 386 :-)

    1. Halfmad

      They should have bought the maths co-processor for DX power.

      1. John Miles

        RE: maths co-processor for DX power

        It was the 486DX that first had a co-processor inbuilt, the 386SX was a 32 bit CPU but with only a 16-bit databus. Intel then renamed to 386 to 386DX - I recall this mainly as my first PC was a 386SX 16MHz and next was 486DX 33MHz (and just how fast it seemed for a while.)

        1. DRue2514

          Re: RE: maths co-processor for DX power

          The 386DX had a 32 bit databus. You could buy the co-processor, the 387 to go with it.

  5. Derezed

    This one made me laugh. As a precaution I never give my genuine date of birth to any website uppity enough to ask for it...that might bite me if I need to make a subject access request (as I do with Dixons/Carphonewarehouse/Curries etc who mentioned I am a lucky one of fifty million who has had their data siphoned by proper hackers).

    Let's hope this is just a bunch of chancers attempting to extort money with no real hack and we don't learn a bit later that "originally we thought only Fred from Essex had his data stolen but it turns out one hundred billion personal records have been hacked" and "don't worry, we're not liable for any fraud because there's no way in a million years you can link it back to our incompetence" (cough: TalkTalk, cough: Dixons/CarphoneWarehouse).

    My favourite glib statement is the one about not worrying, only stuff you can't cancel/change has been splurged into fraudsters hands...trivial stuff like DOB and full name and address...if someone has my credit card details I am covered up the arse...if they have my identity not so much.

  6. Moog42

    Back of the queue...

    Company sends out email at 18:52 asking me to change my password. Servers fall over (and for the rest of the night) at 18:53. Go figure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Back of the queue...

      Did you try just logging in with your old password and changing it? That still worked.

      1. Moog42

        Re: Back of the queue...

        3 hours of 500 errors later I managed to get in. 12 hours later I got the email confirmation that i had changed my password successfully. Speedy Tuesday!

  7. DaveTheForensicAnalyst

    Bigger concerns here would be that the overall parent company of Superdrug also runs a considerable part of the UKs Critical National Infrastructure, let's hope the rot doesn't spread.

    1. Julz

      Which one?

      @ DaveTheForensicAnalyst

      Would you be meaning A.S. Watson Group or their major shareholder CK Hutchinson Holding Ltd? Given Hutchinson is a Kong working out who owns what beyond that is problematic.

      1. katrinab Silver badge

        Re: Which one?

        They own the mobile network Three.

      2. DaveTheForensicAnalyst

        Re: Which one?

        @Julz

        CKH, they own a number of Gas Distributors, Water, and Electrical distributors within the UK, all of which are Critical National Infrastructure, Cat 4 providers.

  8. Gary Heard

    386

    I assume the number that they have found has come from the access logs from the Webserver. If someone's 'normal' IP address has a geolocation of the UK and they suddenly log in from Russia, Ukraine or somewhere unusual, they could at least pick them up that way

  9. Aladdin Sane

    advised customers to update their ... password ... “on an on-going, frequent basis.”

    Well that's just fucking stupid.

    1. anthonyhegedus Silver badge

      Re: advised customers to update their ... password ... “on an on-going, frequent basis.”

      Totally agree, whilst there may be some advantages to frequently changing your password, there are plenty of disadvantages. Asking thousands or even millions of people to change their passwords regularly just creates more vulnerabilities. If there are keyloggers on PCs, they're just waiting for peopl to change their passwords and the more frequently people change them, the more likely a keylogger is to strike gold. Then there's the issue of people having to remember said passwords. People aren't very good at remembering a few dozen passwords, and even less so if they keep changing. So what do they do? They write them down or put them in a file called 'passwords'.

      Not only that but people hate changing passwords, it's a stressor and will actually put them off using a site, especially if they're forced to keep doing it.

      1. Aladdin Sane

        Re: advised customers to update their ... password ... “on an on-going, frequent basis.”

        For a lot of people, "changing" just means incrementing from Password1 to Password2.

  10. Anonymous Coward
    Anonymous Coward

    "What's *your* type?"

    "Insecure!"

    (In homage to the dearly missed Love Island 2018).

  11. andy 103
    WTF?

    Why they store date of birth

    I can't believe how many people have questioned why they store DOB.

    Hello - the clue is in the name SuperDRUG. There are age restrictions on buying certain products, including "basics" such as Paracetamol.

    I haven't checked whether they validate DOB when trying to buy certain products but imagine the criticism they'd receive if they weren't keeping records and selling age-restricted items to anyone!

    1. Moog42

      Re: Why they store date of birth

      They sell nicotine based products (e-cigs etc) online - strictly over 18's only

    2. Derezed

      Re: Why they store date of birth

      I am pretty sure if i order a box of tampons or parecetamol from Superdrug online they're not going to request copies of my passport and a utility bill...this makes the date of birth field on their website as useful as a favourite colour field for verifying that purchases are being made legally. There are no age restrictions on buying OTC medicines:

      Note from the NHS website: "There are no legal age restrictions for buying over-the-counter (OTC) medicines."...no need for DoB checks here.

      From their terms and conditions:

      Age Restrictions

      We only accept orders from persons aged 16 and over. By placing an order for pharmacy-only medicines, you are confirming that you are aged 16 or over.

      From their terms of use:

      2.4 The purchase of certain products and services on the Site are subject to age requirements specified by law. We are not permitted by law to supply these products or services to individuals who do not satisfy these age requirements and, if you are underage, you must not attempt to order these products or services through the Site.

      I just registered an account with them with a DoB of 2004. I then added some parecetamol to my basket, answered some health questionnaire questions which didn't include my DoB and hey presto...they'll deliver them tomorrow! Odd, because it says my DoB will be used for checks (it doesn't even check that I am 16 and therefore allowed to use their website!)

      To the dude who thought they restricted based on Nicotinell Mint 1mg Compressed Lozenge 96 Lozenges...I just bought some with y 14 year old profile.

      On the medicines questionnaire they even ask "how old the patient is" when I have selected "the medicine is for me". I selected 18 years +...no verification against my supposed birth date...

      TLDR: they use DoB for marketing purposes and nothing more. Superdrug work on the "Trust" policy of assuming you're the correct age...

  12. Just Enough
    Facepalm

    Clueless

    "The retailer advised customers to update their Superdrug.com password “now and on an on-going, frequent basis.”"

    This is why you don't take your security advice from a shop. This advice is guaranteed to encourage weak passwords and password re-use, exactly what got them into this position.

    Why couldn't they have got someone with a clue and advised their customers to "NEVER reuse passwords on different websites. Use a password safe, create a unique, strong password and stick to it."

    1. andy 103

      Re: Clueless

      "Use a password safe"

      - Does an average (non I.T. literate, non Reg reader) even know what a password safe is, let alone how to use it?

      "create a unique, strong password"

      - Which I have to write down or store insecurely because I can't remember it, and don't know what a password safe is.

      Do you get why so many people use the same password across multiple sites now? Simplicity and convenience will always go over security for most people in society, and it's hard to convince them otherwise... unless or until something bad happens.

      1. Anonymous Coward
        Anonymous Coward

        Re: Clueless

        - Does an average (non I.T. literate, non Reg reader) even know what a password safe is, let alone how to use it?

        Yes, they probably do - but no, they don't use one, because they're inundated with offers of cloud-based paid subscription services which they (rightly) feel are not only poor value for money, but hardly secure either. (A plague on the corporations that do this. Just because home users were gullible enough to buy your heavily overspecced paid subscription anti-virus products; you couldn't stop, could you?)

        Tried and trusted way :- free open source OFFLINE password manager with portable encrypted DB, and keyfiles if you're feeling extra paranoid. Pass it on.

  13. Tebbers

    How is it Superdrug's fault?

    Assuming that this *is* a credential stuffing attack for a moment, how is this Superdrug's fault that their users reuse their passwords - even if they are complex passwords?

    You could argue they should have had 2FA in place, but this seems a little overkill for ordering cosmetics online...

  14. JimmyPage Silver badge
    Holmes

    386 ?????

    I guess it might really have been. But that's such a baggage-laden number in IT, it does suggest that it was the first number the person quizzed could think of.

    "Did I ever tell you the time I sang in a barbershop quartet in Skokie Illinois .... ?"

    Been a while since we've had a call for more El Reg icons. But a "Oh, really ???" one might be an idea ?

  15. Alister

    create a unique, strong password"

    - Which I have to write down or store insecurely because I can't remember it, and don't know what a password safe is.

    Maybe it's time to acknowledge that writing down strong, complex, unique passwords for websites and keeping them at home, is far more secure than reusing weak easily remembered passwords everywhere?

    1. anthonyhegedus Silver badge

      Agreed, most of the time. But in a work environment, writing down passwords is very stupid indeed. And it isn't always safe to do this at home either.

      By the way whenever a website asks for my DOB, I use 1/1/1970. I'm beginning to think I should use 1/1/1910. I'll get far less marketing shite then.

      1. Derezed
        Big Brother

        1/1/1900

        You run the risk of a letter from a queen though...or a visit from a BBC reporter finding out what you are "the last of" from WW2 (or actually WW1 with that age).

  16. FlamingDeath Silver badge

    CEO bonus covered though?

    I bet they outsourced their IT to some Managed Services outfit who are themselves “Managing” about 30 other companies IT systems with 3 members of staff.

    But the upshot of this, is that the CEO, executives and shareholders received huge salaries / bonuses / dividends.

    Business as usual...

  17. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like