Security Experts:

Best Buy Warns Customers of Account Hacking Attempts

After detecting an increase in malicious attempts to access user accounts, the retail giant Best Buy is alerting customers to reset their passwords. However, it appears that the warning is confusing some users.

The letter starts as one would expect; “Dear Valued Best Buy Customer.” From there, the message to customers says that the company is investigating increased attempts from attackers around the globe, who appear to be targeting BestBuy.com and other e-commerce sites.

Attackers Hit Best Buy“These hackers did not take username/password combinations from any Best Buy system; they appear to be using combinations taken elsewhere in an attempt to gain access to BestBuy.com accounts,” the letter states.

“Our investigation indicates that your account may have been accessed by these hackers. We are taking action now to help protect your account; we have disabled your current password, and ask that you take a few minutes to reset it.”

The letter was delivered using the company’s mass mailing system, and the links embedded within were not SSL enabled. Thus, some of Best Buy’s more technical clients were skeptical of the message’s sincerity. When asked if the letter was legit, an employee monitoring the corporate Facebook account confirmed the warning.

Some customers said that despite the fact the letter told them their password was reset, they were able to access their accounts using the old credentials. Best Buy had no answers there.

It isn’t clear if there was a breach, or if the letter is complete and the retailer is reacting to an increase in probes and attempts to breach their systems. Either way, customers who have online accounts with Best Buy are being encouraged to change their passwords in order to be on the safe side.

A copy of the warning letter is here.  

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter