Burglars broke into offices at movie service Vudu late last month and stole hard drives containing customers' personal data, the company told customers in an email sent on Tuesday.
In a statement on its site, the Wal-Mart-owned business said that the hard drives contained customer data including names, email addresses, mailing addresses, account activity, dates of birth, and encrypted passwords.
The hard drives also contained the last four digits of some credit card numbers, according to the email, which CNET reproduced here.
Vudu emphasized that no full credit card numbers were breached, given that the company doesn't store that information (smart!).
The company is resetting all passwords, in spite of the breached passwords having been encrypted.
That, says Chief Technology Officer Prasanna Ganesan in the email, is because hey, you never know if the encryption could wind up getting broken:
"While the stolen hard drives included Vudu account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well."
While it's nice to hear that the passwords were encrypted, that word certainly doesn't tell us much, since we don't know just how strong the encryption used by Vudu was.
Resetting passwords is, indeed, a proactive move.
Still, an even better move would have been for Vudu to have salted and hashed passwords and informed customers of that fact. (Vudu told me it couldn't release specific details about drive encryption, FWIW.)
In fact, that's what Evernote did when it advised its 50 million users in early March that a security breach had led to hackers stealing usernames, associated email addresses and encrypted - using hashes and salting - passwords.
As another precautionary step, Vudu is providing customers with a year of AllClear ID identity protection services.
It's also put up an FAQ page about the heist.
The company recommended that customers take these precautionary steps:
- You'll have to change your Vudu password. If you use your now-expired Vudu password on any other sites, change it on those sites, as well.
- Beware of e-mails or phone calls from anyone asking for personal information or directing you to a website where you're prompted to provide personal information. Vudu will never ask you for personal or account information in an e-mail, so there's every reason to suspect that such calls or emails are from phishers.
And probably most security experts would agree with this piece of advice for Vudu: if you're not already salting and hashing passwords, please start.