HMV & Xtra-vision Hacked

GarIT

HMV & Xtra-vision have been hacked, there is some vague information about it on their Facebook page but are trying to keep it as quiet as possible.

Sometime over the last two weeks the addresses of customers making online orders have been changed to an alternate address, so that the new address would receive the orders. HMV claim that the Gardaí are currently dealing with the matter.

Their website is still up and they are still taking orders even though they cannot confirm that the site is secure or that new orders will be sent to the correct address. They haven't taken down the site as they don't want to affect business over the busy Christmas period and they are just hoping that the hack doesn't happen again.

They have not informed customers of any of the issues including what personal information other than addresses has been accessed. They cannot confirm that card information is secure. If you want any information you have to demand it and drag it out of them over the phone. They are not or at least are very slow (2 days wait so far) to respond to emails or social media messages.

They have confirmed that they will not be issuing refunds to the affected customers at the moment stating that they hope to have the issues resolved by the 18th of December and customers can request refunds if they have not received their goods by that time.

This is all a complete joke, if they even have an information security team they must only employ clowns. They are handling this situation as incompetently as possible.

Personally I will probably cancel my card with the bank and do a chargeback for stolen funds.

MagicIRL

Having worked for Xtra-vision in the past, I'm not surprised. What a shíthole.

kjl

GarIT wrote: »

HMV & Xtra-vision have been hacked, there is some vague information about it on their Facebook page but are trying to keep it as quiet as possible.

Sometime over the last two weeks the addresses of customers making online orders have been changed to an alternate address, so that the new address would receive the orders. HMV claim that the Gardaí are currently dealing with the matter.

Their website is still up and they are still taking orders even though they cannot confirm that the site is secure or that new orders will be sent to the correct address. They haven't taken down the site as they don't want to affect business over the busy Christmas period and they are just hoping that the hack doesn't happen again.

They have not informed customers of any of the issues including what personal information other than addresses has been accessed. They cannot confirm that card information is secure. If you want any information you have to demand it and drag it out of them over the phone. They are not or at least are very slow (2 days wait so far) to respond to emails or social media messages.

They have confirmed that they will not be issuing refunds to the affected customers at the moment stating that they hope to have the issues resolved by the 18th of December and customers can request refunds if they have not received their goods by that time.

This is all a complete joke, if they even have an information security team they must only employ clowns. They are handling this situation as incompetently as possible.

Personally I will probably cancel my card with the bank and do a chargeback for stolen funds.

Well GarIT, I would have thought you knew about SSL since you stick IT in your username. Therefore the only information that could have been compromised is the shipping address and not any CC information and who cares about that, sure if you look in a phone book you can get someones address.

Leave them alone, they have informed their customers and give refunds in 8 days if the situation has not been resolved.

circadian

kjl wrote: »

Well GarIT, I would have thought you knew about SSL since you stick IT in your username. Therefore the only information that could have been compromised is the shipping address and not any CC information and who cares about that, sure if you look in a phone book you can get someones address.

Leave them alone, they have informed their customers and give refunds in 8 days if the situation has not been resolved.

Heartbleed/POODLE/Freak/Beast.

All fine and well going on about SSL, but it shouldn't be used.

GarIT

kjl wrote: »

Well GarIT, I would have thought you knew about SSL since you stick IT in your username. Therefore the only information that could have been compromised is the shipping address and not any CC information and who cares about that, sure if you look in a phone book you can get someones address.

Leave them alone, they have informed their customers and give refunds in 8 days if the situation has not been resolved.

SSL won't protect their databases from being hacked. Given the site is secured with SSL the address couldn't have been accessed at the time of ordering either, someone has to have gotten access to their internal systems. Customers shouldn't be left waiting until the last weekend before Christmas to know if the kids presents will actually be delivered and then if they do issue refunds on or after the 18th there will be no chance of getting the refund in time for Christmas. It's not ok that a customer should have to wait until December 18th to find out if they will receive orders placed back in November with a stated maximum delivery of 5 days. At this point they should be issuing refunds rather than saying they will deliver the products when they can, at this point I don't want the products, I just want a refund so I can buy them from a trustworthy company.

They haven't informed their customers either, they posted a message on their Facebook page, no customers were directly contacted and all they have said is that there was a shipping issue they are trying to fix, nothing about whether we should change the password used on their site etc.

I just got an email from them all it says is "Dear Customer, We are working to resolve the situation" no apology, no information.

The_Valeyard

Why now? Why not years ago?

smash

Xtra vision once told me that I owed them €4 for a late return fee of a VHS I had rented in the 90's. Apparently it was a glitch on their system.

I don't know how they're still in business to be honest. They've only recently got into the DVD postage system that Netflix and others were doing 10 years ago.

kjl

GarIT wrote: »

SSL won't protect their databases from being hacked. Given the site is secured with SSL the address couldn't have been accessed at the time of ordering either, someone has to have gotten access to their internal systems. Customers shouldn't be left waiting until the last weekend before Christmas to know if the kids presents will actually be delivered and then if they do issue refunds on or after the 18th there will be no chance of getting the refund in time for Christmas. They haven't informed their customers either, all they have said is that there was a shipping issue they are trying to fix, nothing about whether we should change the password used on their site etc.

I just got an email from them all it says is "Dear Customer, We are working to resolve the situation" no apology, no information.

Right because they store cc info in plain text on a db. :rolleyes:

Also any password information will be stored in md5, so again no need to change passwords.

kneemos

smash wrote: »

Xtra vision once told me that I owed them €4 for a late return fee of a VHS I had rented in the 90's. Apparently it was a glitch on their system.

I don't know how they're still in business to be honest. They've only recently got into the DVD postage system that Netflix and others were doing 10 years ago.

Overpriced Galaxies.

GarIT

kjl wrote: »

Right because they store cc info in plain text on a db. :rolleyes:

I would assume they don't but you could be surprised. It's great that you think it is secure when all they can say is that they don't know yet.

kjl

GarIT wrote: »

I would assume they don't but you could be surprised. It's great that you think it is secure when all they can say is that they don't know yet.

Any CC vendor will not allow you to store cc information unless you follow very strict data protection guidelines which include encrypted cc information.

I get you are pissed off, I would be too, but they can't help it, they are the victims here. The people you should be pissed at are the scumbags who hacked their system, which I would imagine would have to be an inside job. It's not like the DB servers are open to public IP, which means they would have needed VPN or some kind of intranet access.

Hyzepher

if their site was hacked to redirect orders to a 3rd party site then I'd expect all CC and other personal details to have been obtained maliciously

kjl

Hyzepher wrote: »

if their site was hacked to redirect orders to a 3rd party site then I'd expect all CC and other personal details to have been obtained maliciously

True, but the would not have a valid cert and even my mum knows to look for the padlock when entering cc information.

Plus the OP said they edited delivery addresses to get the goods, they didn't set up a dummy site.

Boom_Bap

I don't think that some people understand 'hacking'.

This screams of some sort of script injection to change the delivery address stored on a database.

GarIT

kjl wrote: »

Plus the OP said they edited delivery addresses to get the goods, they didn't set up a dummy site.

That seems to be the case, they said that the delivery address was changed after orders were placed. I didn't notice anything wrong with the site at the time. Debit card was charged by HMV they just shipped the order to the wrong address for myself any many other people before they noticed a problem.

kjl

Boom_Bap wrote: »

I don't think that some people understand 'hacking'.

This screams of some sort of script injection to change the delivery address stored on a database.

I don't think so, the site appears to be written in JSF which has XSS protection built in

SEPT 23 1989

I thought they had to inform the Data Protection people and they informed the public?

GarIT

kjl wrote: »

I get you are pissed off, I would be too, but they can't help it, they are the victims here. The people you should be pissed at are the scumbags who hacked their system, which I would imagine would have to be an inside job. It's not like the DB servers are open to public IP, which means they would have needed VPN or some kind of intranet access.

If wouldn't be pissed off if they were handling it properly. They are refusing to give any information unless you demand it and drag it out of them. From what I understand they don't know what is happening but they should be giving more information than "We are working on it" and "the gardaí are looking into it" if they are going to expect me and their other customers to just wait until it is resolved. I get that it's not their fault that the addresses were changed but it is their problem and not mine, they have charged my card, they should refund it and sort their own problems later rather than telling me they will attempt to recover the goods and deliver them eventually if they can.

All I want is a refund so that I can do my Christmas shopping elsewhere given that they haven't and can't in the foreseeable future deliver what I have ordered. If I got that I'd be happy to leave them alone.

Hyzepher

GarIT wrote: »

That seems to be the case, they said that the delivery address was changed after orders were placed. I didn't notice anything wrong with the site at the time. Debit card was charged by HMV they just shipped the order to the wrong address for myself any many other people before they noticed a problem.

ah makes more sense now. I took it up that it changed the ADDRESS of the website and customers were entering details on a non-HMV site. My Bad.

Boom_Bap

kjl wrote: »

I don't think so, the site appears to be written in JSF which has XSS protection built in

That would all depend on how it's written and the version.

Lights On

Hopefully I get a brand new PS4 shipped to my house.

Billy86

smash wrote: »

Xtra vision once told me that I owed them €4 for a late return fee of a VHS I had rented in the 90's. Apparently it was a glitch on their system.

I don't know how they're still in business to be honest. They've only recently got into the DVD postage system that Netflix and others were doing 10 years ago.

That's what I love about the move towards new, streaming type services - it' pushing all the lazy hacks who expected to just be able to sit back and demand people's money (and for years, who could just do that) out of business due to their failure to adapt.

ponzook

kjl wrote: »

I don't think so, the site appears to be written in JSF which has XSS protection built in

We don't know the back end of their system. Can easily be hacked if they don't have the right protocols in place. Every website and database we use may or may not be secure, especially with idiots looking after them.

E.G

http://uk.businessinsider.com/talktalk-hacked-credit-card-details-users-2015-10

Mesrine65

Once again HMV fucks over their customers at Xmas time :rolleyes:

Having worked for them for nearly a decade (in a security role), this does not surprise me in the least.

gandalf

Not sure if it is a hack or there was a fault with the website. This girl on twitter got a heap of gear she didn't order.

https://twitter.com/deborahyoung204/status/674729539474452481

I see another lad complaining he was charged €1940 instead of €68.

Hammer89

I've owed Xtra Vision £12.90 since 1999. If the hackers could do me a solid and erase any record of this it'd be great.

Fr_Dougal

Sounds as if it might be a corrupt database rather than a hack.

Umaro

Doesn't seem like they got hacked if the goods are showing up to the wrong houses. Just horrendous database management.

Umaro

I'm going to put that girl's tweets in a more readable order:

debbie young ‏@deborahyoung204 19h19 hours ago
@hmvtweets @Xtravision

ATTENTION PLEASE TO ALL HMV/XTRAVISION CUSTOMERS*** URGE TO YOU TO CONSULT THE DATA PROTECTION COMMISSIONER AFTER READING THIS POST***

If you have ordered any products from the company's website in the past 2/3 weeks I may have received your orders wrongfully to my address with my name. I have approximately 9 boxes with 20/30 orders in each all addressed to different customers. These packages have names addresses on the outside and I can only assume invoices inside. I tried endlessly to return these products for 3 days calling the company to no avail. When the company finally got in touch with me I was treated with nothing but disrespect and furthermore was told XTRAVISION/HMV have not informed you of this huge mistake nor the data protection commissioner.
I have had to stretch myself endlessly to corporate a time in which these parcels could be collected in regards to my hectic work schedule but never the less i'm sure you will all be eager to receive your orders.

I HOPE YOU RECEIVE A SINCERE APOLOGY FROM THE COMPANY WHICH I HAVE NOT
RECEIVED AND CONSULT YOUR CONSUMER RIGHTS TO RECEIVE BETTER CUSTOMER SERVICE IN FUTURE AND MORE SERIOUS REGARD OF YOUR PERSONAL INFORMATION. I WOULD HATE TO THINK WHAT COULD HAVE HAPPENED HAD THESE PACKAGES FALLEN INTO THE WRONG HANDS CURTESY OF XTRAVISION/HMV.


Theres enough time now for Xtra Vision to sort this out before Christmas.. but sounds like some serious arrogance on their side.

circadian

If it was a hack all it would take is a hacker getting onto the network (there's a myriad of ways of doing this, social engineering most likely) then you could guess they're probably using Oracle, which is susceptible to the POODLE attack. I've seen many instances since last year of Oracle not being updated/patched because it was a manual/difficult process from older versions.

GarIT

I was wondering what benefit could come from changing the addresses of customers. If you change it to your own address sure you get some free stuff, but then they know who/where you are. If you send it to someone else's house how do you get your stuff?

JohnPPP

GarIT wrote: »

I was wondering what benefit could come from changing the addresses of customers. If you change it to your own address sure you get some free stuff, but then they know who/where you are. If you send it to someone else's house how do you get your stuff?

Could it be a case of randomly giving say 10% of orders to the hacker and the rest to other random customers to make it more difficult to track them?

JustTheOne

The most worrying part is the gardai are dealing with it.

Can imagine them huddled around an old desktop with windows 98 and a dial up internet connection scratching their heads.

warpdrive

Are people still buying DVDs and CDs? Everything else they sell like consoles, games and electronics can be gotten elsewhere for cheaper most often.

circadian

GarIT wrote: »

I was wondering what benefit could come from changing the addresses of customers. If you change it to your own address sure you get some free stuff, but then they know who/where you are. If you send it to someone else's house how do you get your stuff?

Disgruntled employee? Grabbing details that could be sold on as well.

GarIT

An update from HMV Ireland's Facebook page. According to the woman who received 9 large boxes of HMV stock, HMV have threatened to sue her for defamation if she does not remain silent about what happened.

She has also been threatened by HMV that they would accuse her of theft to the Gardaí when she was not at home at the time they decided to arrive (without informing her) to collect what they had sent to her house.

She also had to endure a HMV manager shouting at her that this was "all her fault" after she contacted them and invited them to collect the goods.

Boom_Bap

GarIT wrote: »

An update from HMV Ireland's Facebook page. According to the woman who received 9 large boxes of HMV stock, HMV have threatened to sue her for defamation if she does not remain silent about what happened.

She has also been threatened by HMV that they would accuse her of theft to the Gardaí when she was not at home at the time they decided to arrive (without informing her) to collect what they had sent to her house.

She also had to endure a HMV manager shouting at her that this was "all her fault" after she contacted them and invited them to collect the goods.

That's an update from the girls twitter account, not Xtravision/HMV.

GarIT

Boom_Bap wrote: »

That's an update from the girls twitter account, not Xtravision/HMV.

I meant from their page, not from HMV themselves, as I said, "According to the woman...."

This morning they are claiming that the courier they used was at fault and delivered all the deliveries to one address despite HMV giving them all of the different addresses. The woman at that address claims every box was addressed to her house.

They are also claiming that there was no data breach despite customer support telling me there was and asking for my address so that they could correct it on their system yesterday.

Could this be a death knell for these companies in Ireland? I'm not sure how widely reported this is, but if they are essentially telling people to stop ordering items in the run up to Christmas ... even if they get it fixed, there's going to be a lot of trust lost by many customers. I mean, Xtravision have started shutting stores across the country.

kjl

HMV and Xtravision have been using a shake out strategy for years. The could have easily started a streaming service like netflix, but they refused to update their business.

This could well be the last nail in the coffin. I was initially going to give them the benefit of the doubt but the way they are handling the woman who is trying to give them back their stuff is just plain moronic.

I dunno.. it seemed a bit silly that she took photos of it and put it on social media. But I personally would have just popped into my local store, let them know there, and let them sort it out there. I mean, they shouldn't have acted so aggressively, but to me both are in the wrong.

Agent Coulson

From there Facebook page.

There was a completely isolated incident involving one delivery in which a courier mis-delivered a number of customers' packages to a single customer. We have recovered the parcels and informed the customers of new delivery dates and apologise for any inconvenience caused. Speculation of anything beyond this regarding company deliveries and data is entirely false and unfounded.

Sheeps

If it was a hack there's no guarantee that credit card information is safe (regardless of SSL as one of the first respondents mentioned). PCI DSS means they really shouldn't be taking payments unless they're following at least the basics of Information Security which would involve ensuring any credit card data is encrypted at rest, whether in a database or not.

GoodKill

I know a lot of people would be out of jobs (and I'd feel sorry for them), but these stores are zombies and have been for years. Die already.

Watch a movie? TV, Netflix, Amazon Prime, download.

Buy a movie? iTunes, Amazon, Google Play or download.

Similar for music and gaming. And for a lot cheaper.

I haven't bought anything from these stores in about 7 or 8 years. I don't get why anyone would use HMV or particularly, Xtra-Vision.

littleblackDRS

GoodKill wrote: »

I haven't bought anything from these stores in about 7 or 8 years. I don't get why anyone would use HMV or particularly, Xtra-Vision.

Would you believe, I bought my brothers Xmas present there this year because I thought it would be easier to deal with if there was a problem with my order!

GarIT

Some customers are now posting on HMV's Facebook page saying that they got an email stating that they can be refunded as soon as lost goods are covered by An Post's insurance (which is 15 working days after purchase). So HMV have posted that they have recovered all the missing orders and are still trying to claim against An Post's insurance.

This whole situation has some strong similarities to someone flailing their arms as they are drowning. They seem to be looking to get an insurance claim out of this.

There has also been a poster on Facebook defending them who has nothing on their page. Friends list is not private but shows 0 friends and their only profile picture ever is a tree and that profile picture was uploaded today. Seems like a fake account to me.

Capt'n Midnight

kjl wrote: »

Right because they store cc info in plain text on a db. :rolleyes:

Also any password information will be stored in md5, so again no need to change passwords.

LOL

If they didn't use good salt and you didn't use a very secure password then md5 is trivial

Lots of reverse md5 lookups on the interweb

http://md5.gromweb.com/
https://isc.sans.edu/tools/reversehash.html

Capt'n Midnight

http://asset-3.soupcdn.com/asset/14575/0156_39ab_500.png

Azalea

GarIT wrote: »

If wouldn't be pissed off if they were handling it properly. They are refusing to give any information unless you demand it and drag it out of them. From what I understand they don't know what is happening but they should be giving more information than "We are working on it" and "the gardaí are looking into it" if they are going to expect me and their other customers to just wait until it is resolved.

But what if the people responding to you don't *have* any further information? It's customer care advisors, not IT professionals - if they had the information they'd give it, for an easy life.

Mesrine65 wrote: »

Once again HMV fucks over their customers at Xmas time :rolleyes:

Having worked for them for nearly a decade (in a security role), this does not surprise me in the least.

How have they ****ed over their customers?
This compromising isn't their fault, it was done by someone else obviously.

Huge misunderstandings out there about internal processes and how long they take and who has responsibility for what. Awful lot of shooting the messenger.

Glad to see HMV won't be harangued and stated it's an isolated incident and any speculation otherwise is unfounded, instead of a simpering apology - nothing to be sorry for.

Sheeps

No one will ever crack my md5 hashed password 2ac9cb7dc02b3c0083eb70898e549b63

Capt'n Midnight

Sheeps wrote: »

No one will ever crack my md5 hashed password 2ac9cb7dc02b3c0083eb70898e549b63

+1

It's more than eight characters with a capital and a number so yeah it's bulletproof.