Security Experts:

Breach at Used Tech Goods Seller CeX Exposes Two Million Customers

CeX, a second-hand technology goods chain, is notifying up to 2 million of its online customers that their personal details may have been compromised.

CeX operates more than 350 shops in the UK, and more than 100 overseas (including around a dozen in America, 20 in Australia, and 20 in India). The data appears to have been stolen from a database accessed via the company's WeBuy website rather than in-store POS devices.

Neither the emailed notification nor a brief online statement provides much information. They both say, "we have recently been subject to an online security breach." They do not say when the breach occurred, nor when it was discovered.

The statement says, "The [stolen] data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."

CeX stresses that there is no loss of current financial data: "We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009." The firm does not comment on why it should still be storing expired card data that is at least eight years old.

It would seem that the breach has not affected all the firm's customers; and any customers who do not receive the warning email can assume their details were not stolen. The only advice given to the affected customers is to change their WeBuy password, and "to change their password across other services where they may have re-used their WeBuy website password."

The passwords were apparently hashed. The statement merely says, "your password has not been stored in plain text," without giving any indication on how it was stored. However, it warns that if the user's password "is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services."

This is an understatement, and would more accurately be stated as, 'unless your password is particularly complicated, it will be discovered by a third-party in a very short period of time.' Under such circumstances it could be more expedient for the company to force a password reset across all customers, since so many have been affected, rather than ask the affected customers to do it themselves.

Completely missing from the statement is any warning about subsequent phishing attempts. Although no financial details were taken, name, email and phone numbers together with a known interest in technology would be enough for the attackers to produce compelling and targeted phishing and or vishing attacks -- and all affected customers should be aware of this possibility.

Ilia Kolochenko, CEO at High-Tech Bridge, explains the issue. "The core problem is the continuing ramifications of each breach -- attackers may use compromised credentials, or other sensitive data, in password reuse and social engineering attacks years after the original breach. And the more breaches that occur, the more successful further attacks become as cybercriminals accumulate a huge amount of data about us. To minimize the domino effect of unavoidable breaches," he continues, "users should use strong and unique passwords, and provide as little sensitive, or confidential, information about themselves as reasonable in all their online accounts."

There is one further possible consideration for some customers. In 2014, CeX started accepting payment and paying customers in bitcoins. However, its statement says that it is unable to tell customers exactly what data about them was stolen. It is possible that the stolen data could indicate customers who have a bitcoin wallet. At this stage of the investigation into the breach, it would be advisable for any CeX customers with bitcoin wallets to take extra precautions to protect those wallets since personal wallets are increasingly targeted by cyber criminals.

When asked for clarification on the bitcoin issue, a spokesperson for CeX provided a generic statement to SecurityWeek.

"Late last year, we suffered what we believed to be a low-level breach in our online UK website security, along with a phishing attempt. It was swiftly identified and fixed, and we immediately put in place additional security measures," the statement said. "No further security breach has since taken place and we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data.

"However, in August this year we received communication from a third party claiming to have access to some of our online UK website data from the security breach," the statement continued. "We immediately informed the relevant authorities, including the ICO and NCA who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again. We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage."

*Updated with statement from CeX.

Related: North Korea Accused of Stealing Bitcoin to Bolster Finances 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.