Games retailer CeX has told customers to change their passwords after hackers stole the personal data of two million customers. The company owns around 300 stores across the UK, however it’s the details of customers using the online shop that have been hit by the data breach. The stolen information included names, addresses, email addresses and phone numbers. It also included a small amount of encrypted credit card details.
What has CeX been doing since the leak?
CeX say that as soon as it found about the breach, it sent out an email to customers informing them of what they needed to do to protect their information. The company particularly urged those who use the same login on other websites to change their password immediately. It said it stored passwords in an encrypted form, but admitted hackers could still decode it.
Should customers worry?
The data hack saw scammers take customers’ full names, addresses, email addresses, phone numbers and old credit card information. However, CEX assured customers that as it stopped storing credit card information after 2009, customers don’t need to worry. The company has since hired a cyber-security expert, to strengthen its security and ensure such incidents cannot happen again.
CeX customers not in receipt of an email alerting them to the breach are unlikely to be affected.
Spambot responsible for breach
In a separate incident, unrelated to CEX, around 700 million addresses and passwords were recently leaked online in a huge data breach by a spambot. The databreach discovery flagged by a French security expert who calls himself Benkow, was a result of spammers collecting information to use to break into users’ email accounts. The data became available online because the spammers didn’t secure one of their servers. This allowed anyone to download many gigabytes of information without needing the necessary authorisations. It’s impossible to tell just how many people apart from the original spammer who accumulated the database have downloaded their own copies.
It’s likely that the volume of contact details of actual people in the leak will be lower than 700 million due to the number of fake, malformed and repeated email addresses contained in the set of data. Despite more than 700 million email addresses included in the data breach, many of them do not link with real accounts. Members of the public can check if their accounts have been affected via the Have I Been Pwned service. Benkow recommends affected users to “change your password, and be more vigilant with the emails that you receive”.