I like mike's tweet.
Hungryhouse resets thousands of customers' passwords
Online takeaway service Hungryhouse has reset the passwords of thousands of its customers following an apparent data breach at a third party hosting company. Scott Fletcher, chief executive of Hungryhouse, said: "We had no affiliation with the web hosting company that was hit by a data breach. But when our head of security …
COMMENTS
-
-
-
Friday 27th November 2015 17:35 GMT Anonymous Coward
Re: Not surprising
@Wolfetone; You seem to think that Hungryhouse itself is a takeaway firm. It isn't- it's a platform/website acting as an intermediary ordering service on behalf of multiple third-party small takeaway services, a la "Just Eat".
Not that I'm defending their service- I've no idea if they're good or bad since I've never used them personally- but I'd assume the "minimum wage" comment was also pulled out of your nether regions...?
-
-
-
Friday 27th November 2015 12:55 GMT scottf007
Very disappointing
As a long time register reader, and the CEO of hungryhouse, I can say that I am very disappointed by The Register - biting the hands of the facts.
They called me after publishing this post.
We have had no data breach.
We reacted to a data leak by 'oooWebhost'. http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/
We have no affiliation, or relationship to them. When the customer list was leaked, we compared this list to ours. If there was an email address match, we deleted the customer's payment information and reset the password as a precaution. We took this precaution after the Talktalk leak etc.
This is sensationalist reporting, and has very few facts.
Scott Fletcher
CEO hungryhouse
-
Friday 27th November 2015 12:59 GMT Oh Matron!
Re: Very disappointing
Scott,
Firstly I'm impressed with the response. Some of the criticism still stands, However, if true.If you're going to use social media as an outlet for both news and support, make sure it's staffed by people who are kept abreast of news and facts, rather than kids who have the largest number of instagram followers.
However, I echo your disappointment. The Register has become the Daily Mail of tech websites
-
Friday 27th November 2015 13:36 GMT Anonymous Coward
Re: Very disappointing
So essentially what you're saying is that none of your services or client data are on 000webhost but when your client's email addresses turned up in a list of those affected by a hack of their services you took the initiative and reset their passwords/deleted payment details in case they'd recycled passwords?
If that's the case, I think perhaps an email to the potentially compromised accounts would have been a better response,
As it stands, you're also guilty of sensationalism because you should have no way of knowing if those clients had recycled passwords.
Unless you're telling us you store passwords in plaintext?
-
Friday 27th November 2015 13:48 GMT Electron Shepherd
Re: Very disappointing
you should have no way of knowing if those clients had recycled passwords... Unless you're telling us you store passwords in plaintext?
If the compromised web host leak included email / password pairs, anyone can see if one of their own customers is reusing passwords, even if they themselves only store hashed passwords. You simply need to put the leaked password through your hashing algorithm, and see if you get the same hash as you have for that email address.
-
Saturday 28th November 2015 09:46 GMT Sgt_Oddball
Re: Very disappointing
Which would be really slack of those hashing not to do it properly.
Password + email ain't that great but add another value in (makes no difference to the length of the hash just a different value) say a web domain/ip/name of the company /Devs first pet and makes rainbow tables useless to reapply to datasets elsewhere.
It's just lazy if it's not included.
-
Friday 27th November 2015 13:59 GMT tiggity
Re: Very disappointing
An upvote, pretty much what I was thinking (though as has been pointed out can check password match (barring random hash collision) whilst having NON plaintext password storage)
@scottf007
Given that people often reuse passwords, I can see the concern that given a list of stolen emails & associated passwords from an unrelated site, then there is a chance thwt any users of hungryhouse in that list may be using the same passwords in hungryhouse.
A good, non customer irritating response would have been to email those customers of yours and warn them, rather than pre-emptive password reset.
Without a very clear explanation, many of your customers will have a WTF! angry response to (a potentially well intentioned or catastrophically arrogant depending on viewpoint) account lockout.
I'm assuming a password reset on hungryhorse would need a whole lot of security questions answering & various hoops to jump through?
If not a painful security exercise to rest password, then totally pointless to reset, as could reasonably assume a user has same password for their email provider as was on that hacked credentials list & thus the email account could easily be compromised & so a password rest would have achieved little
As the forbes article you referenced mentioned, the affected hosting site did not verify email address registration, so (as Troy Hunt found) it was possible to sign up to the web hosting service using any random email address, so potentially a proportion of the "union" between your customer list & breach list, may not be a genuine match as possible the genuine email address owner never actually signed up to the web hosting service
Plus, scottf007, the quote: "We deleted the customers payment information"
Irretrievably deleted?
So, the password reset customers also have to jump through the hoops of re-entering all their payment data .. cue even further disgruntled customers
Why delete the payment data - surely you would have nothing on your financial systems in a form an attacker could use..
-
Friday 27th November 2015 15:11 GMT Little Mouse
Re: Very disappointing
I'd say, in HungryHouse's defense, that they were stuck between a rock and a hard place in this situation. Realistically, what could they do?
1) Do nothing? But it's a sure thing that many users DO recycle passwords - therefore if the email accounts had been compromised then their HungryHouse account could be wide open too,.
2) Send an email to the affected users' email addresses? Maybe, but I know that any emails I get that tell me I've been hacked go straight in the bin. I don't even read them - life's too short. And let's not forget that these email addresses have been compromised - you might just be emailing the perp, not the victim.
3) Take local action to make sure someone else's data breach doesn't cause problems in your own backyard? Well, that's what they've done, and they are now getting flack for it. It's disruptive - but seriously disruptive? C'mon...
I'd say hats off for trying, but there's room for improvement.
-
Tuesday 1st December 2015 09:04 GMT Anonymous Coward
Re: Very disappointing
If financial details are stored, like Just Eat, it's to pay for your takeaway so YES, they could fleece your card / account.
Scott, well done for being proactive.
Next time just deny everything like Talk-Talk and you'd still get the same response from the reg commentards
Damned both ways
-
-
Saturday 28th November 2015 12:04 GMT Anonymous Coward
Re: Very disappointing
"As it stands, you're also guilty of sensationalism because you should have no way of knowing if those clients had recycled passwords."
As someone who lives outside the UK, I'd never heard of HungryHouse before, so I suppose it's a case of "There's no such thing as bad publicity".
But as another poster points out, given a plain text password leaked elsewhere, you can check to see if putting it through your one-way hashing algorithm comes up with the same result as held in your own database.
-
-
Friday 27th November 2015 14:49 GMT Known Hero
Re: Very disappointing
@scottf007
Just wondering, I am presuming it was you who undertook the decision to reset people's passwords?
If so, how much of that decision making process would you attribute to the ranting of commentards on here and if so are you wondering why now they are having a go at you for be too paranoid.
You loose some and you loose some. I'm sure that's how it's meant to be written ;)
but seriously, how much do you feel your decision (if it was yours) was influenced by reading the reg and its comments.
-
This post has been deleted by its author
-
-
Friday 27th November 2015 16:47 GMT TRT
Re: You loose some and you loose some.
But the problem is that I now need to follow the password reset procedure which involves sending an email to my (compromised) TalkTalk email address, but the TalkTalk email servers are completely shitted out at the moment and are taking between 4 and 48 hours to receive and process email, so I can't reset my password because I'll never get the email.
So I guess I'm having beans on toast this evening. #minifistpump
-
-
-
-
Friday 27th November 2015 19:09 GMT Mark 85
Re: Very disappointing
It would seem that https://haveibeenpwned.com/ is not a very well known website outside of some IT types. I kicked this to my department a couple of months ago as a help and only 5 out of approximately 75 people had ever heard of it and were happy to find out about it.
-
-
-
Friday 27th November 2015 14:07 GMT Anonymous Coward
I never liked them anyway...
They occupy space at the top of search results making it difficult to find the number of my local takeaways. I prefer do a local transaction with local folk without involving a scalper who sits in the middle, adding nothing but inconvenience to a system that already worked.
-
Friday 27th November 2015 14:21 GMT Billa Bong
Re: I never liked them anyway...
You pride yourself on have a personal relationship with your local takeaways, but have to google their numbers...?
A scalper makes something available that is not available from the official source at a heavily marked up price, which I think is inaccurate here...?
You call HungryHouse a scalper, but presumably you use Amazon for purchasing items from time to time where eventually you'll be buying through Amazon from a 3rd party; are they scalpers also...?
You don't have to use hungryhouse. Just keep the takeaway menus by your phone and dial them direct. No one is forcing you to use this service, nor post such a strange response to a technical article about proper online account security.
Kudos to HH for taking precautionary measures on behalf of any customers you have that may have recycled passwords, even if the communication to those customers seems to have left a little to be desired among them.
-
Friday 27th November 2015 14:59 GMT Tom 38
Re: I never liked them anyway...
Meh, that's just BS. Before hungryhouse and justeat came along, most of the takeaways, particularly the cheaper ones, round my way (East London) either didn't deliver at all or only accepted cash. Having a single payment processor for takeaways is a win for consumer trust, enabling more places to deliver to more people and employ more delivery drivers and staff.
Similarly, TopTable can be seen as a parasite on restaurants, or a way that allows them to maximise their covers on a slow tuesday.
PS: What's going on? What all this shouting? We'll have no trouble here!
-
Friday 27th November 2015 15:30 GMT Anonymous Coward
Card details were obtained actually
My wife had an unauthorised order placed on her hungryhouse account a few weeks ago, and the support team weren't very helpful and just said they had seen this happen before, there may have been a breach, and they've reset her password. Either this was unrelated, or in fact the breach being reported here did include enough information to hijack accounts and place orders.
I also don't buy the "it is purely the hosting partner's fault". The application provider needs to take responsibility for the security of the customer data they hold. If they use a third party hosting provider to do so, it remains their responsibility to ensure the relevant infrastructure security services are in place.
-
Friday 27th November 2015 16:05 GMT Blitheringeejit
Re: Card details were obtained actually
> Either this was unrelated, or in fact the breach being reported here did include enough information to hijack accounts and place orders.
Or her email and password were obtained from an unrelated breach of another system, and she used the same password for both..? Isn't that the point of this whole thread?
And I can't see why you assume that her card details were harvested from HH, when all that happened was that her account was used by someone else to order food. Rider - I've never used HH so I don't know how their system works, but in most systems I HAVE used, if the customer chooses to allow the site to remember the card details, normally a login is all that's required to place an order, and the card details are not displayed in full when doing so. If I were criminally minded and got hold of someone else's card info with the intention of misusing it, I'd be buying something much more expensive than a takeaway.
Why beer? Friday!!!
-
-
Friday 27th November 2015 17:08 GMT Hans Neeson-Bumpsadese
Checks and balances
Given that the point of HH is to get stuff delivered to your home, it would seem reasonable to have an initial check that if the order is for an address other than the customer's registered home address. If it's different, then do a quick check (e.g. call to customer's registered phone number) to confirm it's a genuine order (e.g. I'm using my account while at a friend's house) as opposed to shenaningans.
-
Friday 27th November 2015 18:02 GMT scottf007
Responses
Hello,
This will be the last comment on this thread from me, but just some answers to questions that were posted, roughly in the order they appear.
Communication with customers: Nothing to say here, but this was poor. We could have done a much better job. The SMS people received was automatic, and was missed in our check list. People were only supposed to receive the email that went out.
Password Reset: This takes someone maybe 30-60sec. Just a link and re-enter passwords, standard security practice currently.
Payment Information: We store payment details as a token, and are PCI compliant, and are audited as such. We do not store customer payment information as anything but a token.
Password reset vs customer communication: I decided to do this as this way we would know we have done everything we can to keep customers safe, which is a nice segway into the next point.
Patterns of attacks we see: We see constant attempts to get into customer accounts through various methods. Most attacks have a user name and password already. They try specific combinations, and are not random - the attackers have lists of emails and passwords(only an issues if people use the same password as talktalk etc). We monitor attempts to login and ip addresses / sessions / device fingerprints etc. This is a game that all online companies face, and our job is to make this harder and harder, while keeping it easy for customers.
Pain to order if you can not access your email: You can order as a guest any time from our website.
Scalper: Restaurants pay us commission, and customers pay the same price as an offline order. If we find an error in prices, we change this immediately or take the restaurant offline.
Card details obtained: This can not happen as we do not have the card details of anyone. Possibly if an account login and password was obtained it could be possible to place an order, similar to most online services. We are making this harder all the time as well, through fingerprinting etc.
Checks and Balances: We are audited twice per year by an external security company. This includes penetration testing, code reviews amongst many other things. We implement all their recommendations as soon as we can. We also follow up to date security practices and try to ensure that we are at the forefront. One of these was to take the action we took today because of the patterns of attacks we see. We are not perfect, but take security very seriously, and try to constantly improve our processes and performance. We will continue this.
I hope this helps. Thanks for all the notes and feedback.
Cheers
Scott
-
Friday 27th November 2015 21:22 GMT David Roberts
Seems logical to me
Details including email address and password stolen from another site: possible obvious risks :
(1) Same email address and password used - so reset password as first line defence.
(2) As above for email account at ISP - so email account may be compromised. So password reset using email address may be compromised. So delete payment details as second line of defence.
Payments can then only be authorised by someone with email address and relevant card detail. This is the same level of checking as for a new account. So best efforts by the site to protect customers.
This is obviously a pain for anyone who hasn't been compromised when their details were stolen but it seems to be a thoughtful and logical approach. Much more proactive than relying on the breached site to persuade all customers to change all their accounts (assuming that they can remember them all and can be arsed). This is a major benefit for this approach - dormant users don't get their account hijacked without them noticing and active users can easily reset their details. This gives me a lot of confidence in the IT awareness of this company. They just need a spin doctor to handle their social media.
-
Friday 27th November 2015 23:39 GMT Anonymous Coward
Re: Seems logical to me
I'm with you most of the way Mr Roberts, right up to the last line:
"They just need a spin doctor to handle their social media."
No, no and no again to spin doctors.
Yes to better responses on-line and I think from Scott's replies that lesson might have been learned.
But still no, no and no again to spin doctors.
-
-
Monday 30th November 2015 08:23 GMT Scyta1e
Coincidence?
I think there is possibly more to this than being pro-active I have personally had £160+ of orders placed on the 23th/24th of November.I contacted HH online on the 22nd after receiving what I hoped where spurious e-mails. Turned out they weren't, In total 11 different orders to different restaurants (and bizarrely 2 refunds) placed on the 22nd hit my account on the 23rd and 24th - including the refunds (all £16 of it)! I've only ever made 3 orders with HH twice in May and once in June of this year.
The only reason I knew anything about it was that 2 of those orders where followed up by a rate your meal mail request. HH at this point have simply wiped by payment details, the account is still there pointing to some "other" e-mail address. The order history shows a set of orders placed in Birmingham when the delivery address is in Merseyside (and doesn't even have a house number). On the website it actually says the restaurants are outside the delivery area when you review the order. .
Annoyingly for me it wasn't until the 24th that HH appeared to act and sent me a mail indicating the account was reset and I should sort out any issues with my bank.
I'm hoping my case is isolated - hacked online accounts are an annoying fact of life. What concerns me more here is the complete lack of basic validation, multiple charges to a single payment in an evening, to several different restaurants, with invalid delivery address details in a geographically separate area. Come on HH you can do better than that, this is basic stuff..
-
Monday 30th November 2015 08:23 GMT jnm8210
Thank you Hungry House
I am one of the twitter users quoted on the article & have registered here to reply to some of the comments. There were comms issues, yes, but Scott has accepted that & I am more than happy to accept them now that I know why.
Having been very aware of my internet security after all the press reports & various emails from various companies INCLUDING 000webhost (whom I would ask why they still had my info after they closed down my account after no traffic for their prescribed period), I had signed up to a well known credit reference agency & they emailed me an alert that my email address had been found on a website with a password. They only told me the first two letters, which to my relief did not match my email account password. I was left worried what site I had used a password on with those 2 start letters.
At least now I can be fairly certain that it was an insignificant free webhosting service. For that I am most grateful to HungryHouse.
While I do not reuse passwords (and the comms caused me short term stress), I do appreciate these actions & clearly as some intelligent posts have said, where the donor site also hosted email services, deleting my card details (which i can confirm HH have done) was the correct thing to do & very much appreciated. Resetting my password was very straight forward.
Thank you Scott & as I said in my tweets of apology, I authorise you to use any of my comments in any way that you wish.
Does anyone know how I can recommend HH for an award/good news story?