Sophos Cloud Optix
Hackers who claim to have cracked a Domino’s Pizza database say they have stolen the details of more than 650,000 dough-loving customers.
The hacker group, going by the name of Rex Mundi, says the data will be released later today if the pizza chain fails to pay a ransom of €30,000 ($40,590, £23,930).
In a post on dpaste.de, the group said it had gained access to a customer database shared between Domino’s France and Domino’s Belgium which contains passwords and personal data belonging to customers who had previously registered for home deliveries:
Dear friends and foes,
Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database. And boy, did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones. That's over six hundred thousand records, which include the customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).
Rex Mundi gave a deadline of 8pm CET (7pm BST) for Domino’s to pay up, claiming that failure to do so would result in the posting of “the entirety of the data in our possession on the internet.”
The hacking group also publicised its attack on Twitter (account now appear to be suspended), along with a message to the pizza chain’s customers advising them to sue if Domino’s failed to pay up.
To prove they have the database in their possession, the hackers published the names, addresses, telephone numbers, email addresses and passwords of three customers from each of the two country sites.
And, if Domino’s requires further proof that the group is serious, it need look no further than Americash Advance. In 2012 Rex Mundi published thousands of customer records after the payday lender chose not to hand over a $20,000 “idiot tax“.
Then, earlier this year, the group tried to extort $20,000 from Belgian hosting provider AlfaNet after stealing customer records.
Belgian newspaper De Standaard reports that Domino’s spokesperson André ten Wolde said the company has contacted all affected customers and that no credit card information has been compromised.
Domino’s France has, however, released a series of tweets in which it explains that it has fallen victim to professional hackers who will likely be able to decrypt customers’ passwords.
With that in mind, we would urge Domino’s customers to change their passwords immediately.
Choose something strong, making sure it consists of at least 14 characters and uses a combination of upper and lower case letters, numbers and special characters.
And always, always, always use a different password for each site you use. (If you struggle to remember them all you can use a password manager.)
When hackers steal login information from one site, they often try the same combinations against other sites. If each password is unique, they won’t be able to access any of your other online accounts.
What is the database type that has been exploited?
There really is no excuse for keeping literal passwords on databases. They should be encrypted at the very least. Better still hashed with SHA1 for instance.
I agree wholeheartedly, but it sounds like they WERE encrypted, based on the article. Unfortunately, that’s not enough as evidenced by Adobe’s debacle last year. You hit the nail on the head – hash and salt them!
“explains that it has fallen victim to professional hackers who will likely be able to decrypt customers’ passwords.”
kane and able that lol
Yeah should deffo be hashed
I guess their security is as good as their pizza. =/
Hahahaha.. I like that one. I can’t believe there are over 850,000 households who actually like their pizza.
Once again the poor old customer gets the problem! It really is time for government’s worldwide to hold companies and their directors responsible and STOP BLAMING THE USER. I wonder what would have been the case if, for example, the appropriate database was maintained on a hardened ( e.g. SELinux FMAC based system such as RHEL-6, etc.)
operating system with correct “profiles” enforced? It is time that governments do indeed start to take interest in the :hardening” of national information infrastructure just like they regulate security and safety controls on roads, air services, adnt he like.
Who cares about passwords? Hash, salt, SHA blah.. the hackers already got the plunder, which in this case is the personal [and very useful] details of thousands of Domino’s customers.
If I had my hands on all of that good stuff I would be so much closer to getting a nice fat mortgage (not in my name of course) and a beautiful house somewhere in the sun 🙂
As for 14 character passwords, Domino’s France, why not make them 20, or maybe 25 characters just to be on the safe side. Yeah, wouldn’t want hackers accessing my account without my authorization and paying for a pizza to be delivered to my address. A free pizza from the hackers, that would be devastating!
Will they put the results up on PastaBin?