Security → Break-in at VUDU offices March 24, 2013 - Hard Drives Stolen

Received this email about 20 minutes ago:

We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.

Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.

While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well.

SECURITY PRECAUTIONS:
If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.

As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.

As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.

Thank you,

Prasanna Ganesan
Chief Technology Officer, VUDU

Haha..you beat me by five minutes...give the mods a few minutes to delete mine....

I'll add to what I added to my other post before it gets nuked:

quote:

---

Little bit worrisome, eh?

Never heard of AllClear ID, what do people around here know about it?

Also wondering why it took until March 24 (should have said April 8) to let me know!

On the bright side, I'm a Canadian living in Ontario so whatever info the criminals have, I'm somewhere in Parksley, Virginia to them....

---

FAQ
»www.vudu.com/password_faq.html

Guess they walked past the walmart greeter who was guarding the door?

Interesting really, sort of a physical cyber hack, physically break in, steal the hard drives and hack the credit cards off them. Could be the next wave given internet security has improved, now the back door of the building is the low hanging fruit.

Blake

Seems to be the way it works, eh?

They say everything is encrypted, but you gotta wonder just how well it is.

They could have used the most funky, complex encryption scheme in the universe, but if the system admin had it on a post-it note stuck to the server and they grabbed that as well as the drives, well bugger I guess they scored and the price of credit cards on the black-market takes a hit.

Blake

The HDDs weren't encrypted?

They say only the passwords were encrypted, and credit card data was last 4 digits only... all other information... names, address, etc was cleartext.