back to article Office website hacked: Passwords, addresses, phone numbers slurped

British shoe shop chain Office is the latest corp to cop to a computer security breach – one that's leaked names, addresses, phone numbers, emails and passwords of its customers. The high-street name is refusing to say whether those web account passwords were stored in plaintext, or in a hashed or encrypted form. The firm …

COMMENTS

This topic is closed for new posts.
  1. Dan 55 Silver badge
    Devil

    I see what you did there

    I want the Reg gravestone icon back.

    1. Anonymous Coward
      Trollface

      Re: I see what you did there

      Evil el Reg.

      1. b166er

        Re: I see what you did there

        Surely we deserve a share of the revenue for this article :D

  2. wowfood

    Be an optimistic pesimist

    Always assume the worse, that way you're rarely disappointed, and often pleasently surprised. Hence I'll assume it was all stored plain text. That way if it turns out it was encrypted we'll all be pleasently surprised. Even though I don't hve account there anyway.

    1. Anonymous Coward
      Joke

      Re: Be an optimistic pesimist

      I select my password from the local bookstore. So should anyone get hold of it, at least it's a nice read for them...

  3. kryptonaut
    Flame

    Ubiquitous passwords

    This is happening too frequently. It seems every website you go to these days wants you to create a permanent account, with an associated unique (hence forgettable) password. I'm sick of it. The other day I wanted to buy my sister a Next voucher, which should have been a simple online process, but there was no way to do it without creating an account - so they lost my business.

    Retailers - if someone placed a one-off order over the phone, would you force them to create an account? No? Then why would you do that for an online purchase? By all means provide an option for people to have their details stored with you for their own convenience (not yours) if they choose to accept the risk that you'll disclose (accidentally or deliberately) that information to others, but don't make it a prerequisite for business, or you will lose customers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ubiquitous passwords

      "Retailers - if someone placed a one-off order over the phone, would you force them to create an account"

      Almost every retailer I know that takes an order over the phone automatically creates an account in their system for you. It may not be linked to an online one but almost every business has an accounting system where an account is created per customer, most will also link that to the sales as well so that management can toss themselves off over the largest customers latest purchases. This has been common practice for years (both the account creation and the tossing).

    2. Dr Who

      Re: Ubiquitous passwords

      Never mind over the phone. What if you walked in to a physical shop (I know, SO last century) and before they allowed you to buy anything you had to give the the shop assistant your full name and email address. You just wouldn't do it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ubiquitous passwords

        "Never mind over the phone. What if you walked in to a physical shop (I know, SO last century) and before they allowed you to buy anything you had to give the the shop assistant your full name and email address. You just wouldn't do it."

        Of COURSE I would never do it! *scoff* (hides Tesco clubcard under the table)

      2. Stuart Halliday

        Re: Ubiquitous passwords

        Last shop that did that was Tandy.

        They got very upset if you refused. Needless to say they are no longer trading...

        1. Anonymous Coward 101

          Re: Ubiquitous passwords

          Get yourself a password locker. I use Keepass; it is free and multiplatform. I don't know how I lived without it.

      3. Anonymous Coward
        Anonymous Coward

        Re: Ubiquitous passwords

        There are some shops that do just sell the goods and it gets recorded in a common "account" for walk-in customers.

        If I buy something like a pair of socks, I don't particularly want to have to tell you my name, address age and inner leg measurement, I just want to receive my goods and be on my way. If you don't stock an item, or maybe I need an appointment, sure, I'll leave some contact details, for that purpose only.

        As for warranty, the original receipt should contain enough information for you to identify the product was purchased from you, and should be printed in a manner that will last the warranty period.

        If something goes wrong, and you need my details for warranty purposes, I'll provide them, but otherwise you shouldn't need my details.

        Right up there in the irritation stakes are those companies who don't list prices, instead you've got to contact them. These companies get my business only as a last resort after every other possible avenue has been considered (including doing without).

      4. h4rm0ny

        Re: Ubiquitous passwords

        >>"What if you walked in to a physical shop (I know, SO last century) and before they allowed you to buy anything you had to give the the shop assistant your full name and email address. You just wouldn't do it."

        Happened to me some years back buying a printer from Curry's. Got as far as having the cash in my hand and the assistant started demanding name, address, email / phone. Said 'no' and they actually refused to sell it to me. So I left.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ubiquitous passwords

          They have to take those details. Either:

          1) Electrical goods for safety/recall. Though possibly not, as others stores do not do this. However which would you prefer? The store that calls you to say the kettle/cooker/microwave has been recalled as it explodes, or the store that never bothered to get your phone number?

          2) To send you adverts in the post.

          I'd prefer the ease of mind knowing I'd get contacted (as they are legally obligated to) if there was a problem, over worrying about a tiny slip of paper in the letter box advertising the latest 10% sale. Junk mail or not, I'm not drowning in it any time soon.

        2. Anonymous Coward
          Anonymous Coward

          Re: Ubiquitous passwords

          Happened to me some years back buying a printer from Curry's. Got as far as having the cash in my hand and the assistant started demanding name, address, email / phone. Said 'no' and they actually refused to sell it to me. So I left.

          I would have given them some details:

          Last name: Business

          First name: None

          Initials: O Y

          … you get the idea.

      5. Lost in Cyberspace

        Re: Ubiquitous passwords

        Is that not what Matalan used to do? Force you to give details and pay a quid for the privilege before you could buy anything... Yeah, that was one of the reasons I didn't shop there

      6. This post has been deleted by its author

    3. SVV

      Re: Ubiquitous passwords

      Whilst I agree with all the points you make here, and share your irritation at the spiralling number of passwords you need these days (I keep all mine in a secure mini-app I wrote myself), the problem is deeper than just this issue.

      There is no guarantee of quality of security when using sites like these, and some kind of security audit kitemark type scheme, possibly linked to the site's SSL certificate so that browsers could be configured to avoid all the amateurish sites is sorely needed.

      And for the idiots who run the "Office Shoes" website, here is some basic free advice : you don't allow external logins to your production servers ever, only through firewalls configured to allow access from known IP addresses. Preferably one IP address only accessible via SSH, that of an intermediate proxy server, the IP address of which is known only to your sysadmins.

      1. Tim Bates

        Re: Ubiquitous passwords

        "There is no guarantee of quality of security when using sites like these, and some kind of security audit kitemark type scheme, possibly linked to the site's SSL certificate so that browsers could be configured to avoid all the amateurish sites is sorely needed."

        And where exactly do you think the average online store owner will get the money required for such audits? Or are we considering a half-arsed script run remotely by Verisign to be enough to call it "audited", thus invoking a lovely sense of false security?

  4. Don Jefe
    Thumb Up

    Hospital

    What a strange name for a shoe shop. I like it. I'm going to open a high end tool shop and call it Hospital and offer really easy credit terms. That way one visit to an actual hospital will allow husbands everywhere to embezzle tool buying funds by disguising them as hospital bills.

    1. graham_
      Joke

      Re: Hospital

      There is (or was) a music label call Hospital. And they sold records

      1. Mike Timbers

        Re: Hospital

        As opposed to Office who appear to give records away for free

        (I'll get my coat)

    2. Tom Wood
      Pint

      Re: Hospital

      There's a student pub in Leeds called The Library (I presume it used to be one).

      But I imagine it makes for good cover-up stories (spent all afternoon in the library, etc...).

      1. Anonymous Coward
        Anonymous Coward

        Re: Hospital

        It was a library, and yes, that's the joke...

  5. Anonymous Coward
    Anonymous Coward

    Interesting pubs

    There was a pub in Worthing which had a reputation that it was easier to get a joint than a pint. After a major raid by police it got slammed with all manner of fines and sold...The new owners called it Boots (but the sign showed it was nothing to do with a chemist of a similar name).

    Anon because I can (and probably should on this one)

  6. Stuart Halliday

    I suspect Foot Warriors from Brontitall...Hopefully just an advanced scouting party?

  7. Not That Andrew
    Mushroom

    Were you trying to give me a heart attack you bastards!

    1. Anonymous Coward
      Anonymous Coward

      Indeed…

      and here I was thinking, ohh dear, Microsoft made a boo boo with Office 365…

      Least that's the office that comes to mind on this site.

  8. Mephistro
    Devil

    I need some clarification

    "only accounts created before August 2013"

    So they have pwned Office 2013?

    .

    .

    .

    ;-)

This topic is closed for new posts.

Other stories you might like