Connect with us

Hi, what are you looking for?


Incident Response

Breach at Used Tech Goods Seller CeX Exposes Two Million Customers

CeX, a second-hand technology goods chain, is notifying up to 2 million of its online customers that their personal details may have been compromised.

CeX, a second-hand technology goods chain, is notifying up to 2 million of its online customers that their personal details may have been compromised.

CeX operates more than 350 shops in the UK, and more than 100 overseas (including around a dozen in America, 20 in Australia, and 20 in India). The data appears to have been stolen from a database accessed via the company’s WeBuy website rather than in-store POS devices.

Neither the emailed notification nor a brief online statement provides much information. They both say, “we have recently been subject to an online security breach.” They do not say when the breach occurred, nor when it was discovered.

The statement says, “The [stolen] data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.”

CeX stresses that there is no loss of current financial data: “We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.” The firm does not comment on why it should still be storing expired card data that is at least eight years old.

It would seem that the breach has not affected all the firm’s customers; and any customers who do not receive the warning email can assume their details were not stolen. The only advice given to the affected customers is to change their WeBuy password, and “to change their password across other services where they may have re-used their WeBuy website password.”

The passwords were apparently hashed. The statement merely says, “your password has not been stored in plain text,” without giving any indication on how it was stored. However, it warns that if the user’s password “is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services.”

Advertisement. Scroll to continue reading.

This is an understatement, and would more accurately be stated as, ‘unless your password is particularly complicated, it will be discovered by a third-party in a very short period of time.’ Under such circumstances it could be more expedient for the company to force a password reset across all customers, since so many have been affected, rather than ask the affected customers to do it themselves.

Completely missing from the statement is any warning about subsequent phishing attempts. Although no financial details were taken, name, email and phone numbers together with a known interest in technology would be enough for the attackers to produce compelling and targeted phishing and or vishing attacks — and all affected customers should be aware of this possibility.

Ilia Kolochenko, CEO at High-Tech Bridge, explains the issue. “The core problem is the continuing ramifications of each breach — attackers may use compromised credentials, or other sensitive data, in password reuse and social engineering attacks years after the original breach. And the more breaches that occur, the more successful further attacks become as cybercriminals accumulate a huge amount of data about us. To minimize the domino effect of unavoidable breaches,” he continues, “users should use strong and unique passwords, and provide as little sensitive, or confidential, information about themselves as reasonable in all their online accounts.”

There is one further possible consideration for some customers. In 2014, CeX started accepting payment and paying customers in bitcoins. However, its statement says that it is unable to tell customers exactly what data about them was stolen. It is possible that the stolen data could indicate customers who have a bitcoin wallet. At this stage of the investigation into the breach, it would be advisable for any CeX customers with bitcoin wallets to take extra precautions to protect those wallets since personal wallets are increasingly targeted by cyber criminals.

When asked for clarification on the bitcoin issue, a spokesperson for CeX provided a generic statement to SecurityWeek.

“Late last year, we suffered what we believed to be a low-level breach in our online UK website security, along with a phishing attempt. It was swiftly identified and fixed, and we immediately put in place additional security measures,” the statement said. “No further security breach has since taken place and we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data.

“However, in August this year we received communication from a third party claiming to have access to some of our online UK website data from the security breach,” the statement continued. “We immediately informed the relevant authorities, including the ICO and NCA who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again. We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage.”

*Updated with statement from CeX.

Related: North Korea Accused of Stealing Bitcoin to Bolster Finances 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...