Just got an email from Collective2 stating confidential information was compromised by a hacker? Is this true?
Yes, the email is real, and so too, I’m afraid, is this incident. Please follow the instructions in the email I sent to you, and change your account login by going to:
Is this valid for everyone?
whilst I appreciate the honesty and the swift message and apology that was sent to customers, this leaves some serious questions:
- How was a hacker able to extract customer information from your database? Was this an SQL injection vulnerability? In this day and age, it seems quite astonishing not to have a website holding sensitive customer information properly secured.
- Was customer’s data, including passwords and credit card details, stored unencrypted? If so, will they be encrypted going forward?
I appreciate the swiftness and honesty of C2’s response, but the statement in the email “we will do whatever it takes to protect your security” has, until today, not been true. You have hired a security firm now, but why did you not do a security audit in the past? It seems websites only learn from disasters.
I had to call my bank and cancel my credit card. OK, it’s a minor inconvenience, but nevertheless, it will take 7-10 days until the new card arrives, and I won’t be able to able to use it for other things, and this is the card I have been using for foreign currency transactions.
In any case, I have already started using virtual disposable credit cards for my internet transactions, and this incident on here tells me that is the best thing to do. I would recommend it to other C2 users, not just for C2 but for Internet transactions generally.
Is this valid for everyone?
When did the "break-in" occur? How long has our credit card info been out there?
To what extent was personal information compromised? Was the nature of the attack general enough that any and all personal information should be treated as compromised? Do you have logs of the affected account(s) or was this site-wide?
What areas of personal information were compromised?
Social Security Number / Taxpayer information?
Credit card number, CCV number?
We do not know the date when the data was acquired. We only know the date that we confirmed that it had been acquired. While we have no evidence that the hacker intended or intends to use the information in any way other than to blackmail C2, all data entered and stored at C2 before yesterday should be treated as potentially compromised. This is the reason we are sending emails to our entire customer database recommending that they change their C2 password, and - if they entered credit cards into the site - that they contact their banks and cancel these cards. I am unable to comment currently on the actual technical methods used by the hacker other than to say that we have identified them and have eliminated those vulnerabilities.
Again, I am sorry that this has happened.
It might help nail down a perpetrator if you ask members to report any spam they suspect could be drawing on their info at C2.
I know that’s a hard call for most, but some people use different email accounts for sites that hold personal info like this one, or could have a unique ‘error’ in their info that would identify C2 as the source if used.
Is this also valid for all vendors? I did not receive an email. Do I need to cancel my CC and change my information?
I hope you weren’t storing CC and password information in a DB unencrypted.
There is a quote from my bank mail about credit card that I used at C2. I was also notified by phone.
"October 29, 2009
Re: Your credit card ending in ****
We have learned that some credit card information on your <bank name> account may have been compromised at an undisclosed third-party location.
There were attempts to withdraw a cash from the credit card (Cash in advance). The operation is prohibited on my credit card, because I don’t use it so the attempts immediately raised alerts on my bank side.
This is ridiculous. Storing credit card data unsecured? Storing password in plain-text in a database, unhashed? That is completely careless. I have no doubt lawsuits against your company would succeed.
"October 29, 2009…
Did you get that from your bank back in October or was it a typo? If that happened 2 months ago that would mean:
1. The C2 database was compromised more than 8 weeks ago.
2. The compromise didn’t happen through the C2 website…
I think it is #2, because I think a breach so old would have been noticed earlier and more people’s CC would be compromised…
>Did you get that from your bank back in October or was it a typo?
It’s not a typo. I got the alert in end of October.
>I think it is #2, because I think a breach so old would have been noticed earlier and more people’s CC would be compromised…
I hope so. I’ve shared the info, because it might be #1 as well. You never know.
FYI, anyone can put a Fraud Alert on their credit reports. It lasts for 90 days, can be renewed, and is FREE. If you are scared, by all means do that and no one will be able to open new accounts with your social sec number.
If you are a confirmed victim of identity theft, you can get a free permanent (not just 90 days) lock on your credit. I was victim (unrelated to C2) in 2008, and that’s what I did. Thieves used my name to get $21,000 in gift cards from 4 stores. I had to file police report. In the end, it was a minor hassle, but it cost me $0.
So, follow Matt’s initial e-mail instructions, and I’d recommend the fraud alert, and chances are you will be OK.
To what "initial e-mail instructions" are you referring? I have not received any emails from C2 regardarding any fraud or hack.
I’ll let Matthew post his initial e-mail here, if he chooses. I’ll forward it privately to you.
Can you please also forward it to me.
I did not receive an email from C2. Matthew you will need to show to your customers due to this incident that you take security seriously to restore faith. I recommend NOT storing any CC information in your database but a provider as well as storing all passwords HASHED with other data encrypted. You should, also, have a third party complete a security audit and display that. This is not good for business.
I notice these details in your post:
ALL data entered and stored at C2 BEFORE YESTERDAY should be treated as potentially compromised.
This is the reason we are sending emails to our ENTIRE customer database recommending that they change their C2 password, and - if they entered credit cards into the site - that they contact their banks and cancel these cards.
Thank you Kevin, I appreciate the information.
Perhaps Matthew is sending the instructions to the vendors with the highest ratings first.