Stolen passwords re-used to attack Best Buy accounts

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.zdnet.com/stolen-passwords-re-used-to-attack-best-buy-accounts-7000000741/

Summary: Customer re-use of the same user name and password across
multiple sites is being blamed for attacks on customer accounts at
BestBuy.com.

After months of Best Buy customers reporting compromised accounts, the
company has finally confirmed hackers are attacking its online retail
site using credentials stolen from other sites.

It’s a worst-case scenario, where credentials stolen from one site are
used to access other sites, most notably retail or banking sites where
hackers can extract some value.

The reason that’s possible is users are prone to use the same username
and password at multiple sites. In a Washington Post survey last
month, 30% of respondents say they use the same password for different
websites, such as banking, social networking and shopping.

In the Best Buy case, hackers are testing that theory, according to
company officials. The original credential theft may have occurred
more than a year ago from a site not affiliated with Best Buy and is
now raising its ugly head as hackers log into Best Buy accounts that
keep a credit card on file and steal hundreds of dollars in gift
cards.

The scenario is the reason users are told not to re-use passwords.

And it’s why the hacking trend of posting on the Internet stolen user
names and passwords is alarming, and often means a hack can have
multiple phases beyond the initial theft.

Just today, Formspring reported that it reset upwards of 27 million
passwords when it discovered 420,000 password hashes they believed
belonged to Formspring customers posted to a security forum.

If those hashes are ultimately unscrambled, the real damage for
Formspring users could happen down the road in months or even years if
they used a password over and over again. In the recent LinkedIn hack,
passwords were unscrambled just a short time after being stolen.

Best Buy customers since April have been reporting their usernames and
passwords were used by someone to access their accounts and purchase
gift cards that were then sent to an email address that did not belong
to the user.

On a Best Buy customer discussion board, one user posted an email
received from Best Buy asking customers to update their passwords
because their credentials, which the company said were not stolen from
Best Buy systems, had been used fraudulently.

“We are currently investigating increased attempts by hackers around
the world to access accounts on BestBuy.com and other online
retailer’s e-commerce sites,” the email said. “These hackers did not
take username/password combinations from any Best Buy systems; they
appear to be using combinations taken elsewhere in an attempt to gain
access to BestBuy.com accounts. …We are taking action now to help
protect your account; we have disabled your current password and ask
that you take a few minutes to reset it.”

The email included a link for a password reset and asked users to
validate personal information.

Susan Busch, Best Buy’s senior director of public relations, confirmed
Best Buy sent the email to customers.

“We believe a secondary party gleaned user information and passwords
from other online sites and then they’re tapping into us and other
retailers to see if people are using their same password across
multiple sites,” said Busch.

Last year, Best Buy and other companies were caught up in the hack of
Epsilon, an email marketing service provider. Epsilon admitted that it
lost user email addresses, but said no personally identifiable
information was taken. It was the second time in a month that Best Buy
customer email addresses were stolen.

On the Best Buy discussion site, some users reported being hacked but
said they were not using a duplicated credential and questioned the
Best Buy alert and explanation.

One participant noted:

“That means this is either an inside (Best Buy employee) hack, or this
is directly due to the Epsilon hacking that happened last year in
2011. If more reports come in by other customers and they admit they
haven’t changed their password in over a year, it could be guaranteed
that the Epsilon hack is the culprit.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.