Superdrug Rebuffs Super Ransom After Supposed Super HeistPharmacy Chain Quickly Notifies Victims, But Fumbles Password Prescription
U.K. health, beauty retailer and pharmacy chain Superdrug Stores is warning customers that attackers may have compromised some of their personal information, apparently via credential-stuffing attacks.
See Also: Defining and Refining Next-Gen AML
"On Monday evening, we were contacted by an individual who claimed they had obtained a number of our customers' online shopping information and was seeking a ransom from us," a Superdrug spokeswoman tells me. "We believe they obtained customers' email addresses and passwords from other websites and then used those credentials to access accounts on our website."
At risk: Customers' names, addresses, dates of birth, phone numbers and incentive program points balances. But Superdrug says no payment card data was compromised.
Superdrug says the hacker is claiming to have compromised about 20,000 accounts. But the retailer says it has not been able to confirm this number.
"We have worked with our independent IT security advisers who have confirmed that there have been no signs of a hack of our systems - for example, there has been no mass data download or extraction from our systems," the spokeswoman says. "They also confirmed that the 386 accounts that were shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to Superdrug."
Suspicion: Credential Stuffing
Superdrug would not be the first organization to see its users' accounts get compromised via credential stuffing, which refers to attackers taking usernames and passwords stolen or leaked from one site to log into any other site for which an individual reused their credentials.
Data breach expert Troy Hunt told me in June at the Infosecurity Europe conference in London that such attacks can be a lose-lose situation for an organization - call it website B - that was never breached, but for which a user reused the same credentials they used for website A, which was hacked.
"This is where I'm a little bit sympathetic," Hunt says. "This website B didn't necessarily do anything wrong, but now they've got to deal with the risk of ... an attacker logging in with a victim's credentials, and that's a really hard problem," Hunt told me (see Credential Stuffing Attacks: How to Combat Reused Passwords).
Superdrug Notifies Victims
Superdrug says it's emailed all users whose information may have been compromised.
Kudos to Superdrug for the timely notification.
But there are three ways in which the organization could have done better.
First, attackers regularly craft phishing emails to attempt to trick individuals into divulging personal details. Superdrug had to take to social media channels to assure customers that its data breach notification - and advice that users change their passwords - was legitimate. It's likely, however, that attackers will have already crafted look-alike phishing messages designed to trick users into visiting malicious sites or installing malware.
Second, some Superdrug site users report that when they attempted to change their password, they encountered an "internal server" error.
I would be able to change my password but tried from 4 different devices and the website keeps giving me and internal server error. Not acceptable that I might have my details comprised and I can't change my password.— Ellen Auckland (@EllenA1997) August 21, 2018
Superdrug has acknowledged the problem. "We are aware that some customers we contacted and asked to change their passwords had difficulty logging in due to the number of people who were using the website, and we apologize for any inconvenience caused," the spokeswoman tells me.
Obviously, having the server power in place before recommending that all users pick a new password would have been better.
Third, Superdrug's advice to users includes this recommendation: "In line with good security practice, we are advising all our customers to change their passwords now and on a frequent basis.
Poor Password-Change Prescription
One problem: Security experts say such guidance is outdated, and frequent password changes do more harm than good (see Why Are We *Still* So Stupid About Passwords?).
How do they know? In part, thanks to studying user behavior. Force users to frequently change their passwords, and they're more inclined to reuse passwords, write them down, base new passwords on old ones or to choose weaker, easier-to-remember passwords.
Such research led the U.K.'s National Cyber Security Center - part of the country's GCHQ signals intelligence agency - in 2016 to recommend that organizations never force users to change their passwords on a regular basis.
"It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack," the NCSC said in its password guidance.
"Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately," NCSC says.
Instead of forcing user to regularly change passwords, it recommends "monitoring logins to detect unusual use" by organizations as well as notifying users whenever the organization detects a login attempt, regardless of whether it was successful. "They should report any for which they were not responsible," NCSC says.
NCSC also recommends users always use password management software to help them generate and securely store unique passwords for every site they use.
Numerous organizations have yet to heed such password-change guidance. Microsoft, for example, still requires all users of its hosted Exchange Online service to change their passwords every 90 days or else locks them out of their accounts.
The Superdrug spokeswoman, when queried about the dissonance between Superdrug's password prescription and recommendations issued by the likes of NCSC, promised to flag it with the organization's IT and security team.