Crooks claim to have stolen 20k customer records from Superdrug cosmetics retailer
21.8.18 securityaffairs Incindent

Hackers claim to have stolen the personal details of almost 20,000 Superdrug customers who shopped online at the cosmetics retailer.
The British Superdrug is the last victim of a security breach, hackers claim to have stolen the personal details of almost 20,000 people who shopped online at the cosmetics retailer.

Hackers accessed customers’ names, addresses and in some cases dates of birth, phone number and points balances.

The company has confirmed the incident, the good news is that hackers did not access payment card details.

Superdrug notified the incident to the customers via email warning of the “possible disclosure of your personal data, but not including your payment card information.”

The hackers contacted the company on Monday evening informing it they had obtained details on approximately 20,000 customers, as a proof of the hack they shared details of 386 of the accounts compromised.

“The hacker shared a number of details with us to try and ‘prove’ he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.” reported the DailyMail citing a spokeswoman for the company.

The hackers likely attempted to blackmail the company to avoid to publicly disclosed the hack.

“The crooks alleged they had “obtained information on approximately 20,000 customers but we have only seen 386,”

Superdrug

@superdrug
To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.

6:29 PM - Aug 21, 18
565
517 people are talking about this
Twitter Ads info and privacy
“On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” the note from boss Peter Macnab stated.

“There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website.”

superdrug cosmetics

Superdrug tried to downplay the incident, sustaining that the hackers obtained the credentials from third-party data breaches. Crooks exploited the fact people reuse their passwords across various web services.

Anyway, Superdrug customers need to reset the password they use to access to Superdrug.com.

Superdrug reported the issue to the authorities and Action Fraud and it “will be offering them all the information they need for their investigation.”

“We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.” reads the note sent via email to the customers.