A&B Sound hacked? (1 Viewer)

[Douglas C]

I don't suppose anyone checked out www.absound.ca (very) early this morning? I did, and to my surprise I didn't find the usual start page - but a complete byte-by-byte dump of their ENTIRE database (several 10's of Mb worth)
including customer credit card details!!
I'm not sure what action (if any) I should take, but I'll certainly be checking my next statement closely for any fraudulent claims.

 

[Hakan Powers]

Yes they have been hacked. I (and many other customers) received this email from them (also up on the site):

PRESS RELEASE
During the early morning hours of May 18, 2001, the security on the
web site maintained by A&B Sound Ltd. was breached by unknown
persons. A&B Sound Ltd. has reason to believe that credit card
information belonging to customers who had open, unprocessed orders
on the web site may have been obtained and that unauthorized use of
that information may have occurred.
The web site, www.absound.ca was immediately shut down by A&B
Sound Ltd. pending an internal and police investigation. A&B Sound
Ltd. has also retained external computer security experts to
assist in the investigation.
A&B Sound Ltd. has emphasized that the security breach is limited
to open, unprocessed on-line orders and that the security of credit
card information belonging to its retail store customers has not
been affected in any way. A&B Sound Ltd.’s on-line orders are dealt
with independently of its retail operations. On-line orders
represent less than 1% of A&B Sound Ltd.’s business.
A&B Sound Ltd. is in the process of notifying all customers whose
credit card security may have been compromised. It is advising
them to immediately report this incident to their credit card
issuer as a precautionary measure.
If you are receiving this email it is because you had an open,
unprocessed order. Anyone who has placed an order from A&B Sound
Ltd.’s web site and has not received the product ordered is
advised to immediately notify their credit card issuer.
Customer inquiries should be forwarded to [email protected].
A&B Sound Ltd. regrets any inconvenience that this matter has
caused its valued customers.

I hope this doesn't get ugly, but I do appload A&B for being upfront and honest about what has happened.
------------------
My movies
HTF AFI Top 100 Challenge: 71 70 69 68 films remaining.
Next Up: The Sound of Music
The Price of freedom is eternal vigilance - Thomas Jefferson

 

[alan halvorson]

A&B Sound has indeed been hacked: If anyone has an open order with them (that's me), you've got problems. I received this e-mail last night:
During the early morning hours of May 18, 2001, the security on the web site maintained by A&B Sound Ltd. was breached by unknown persons. A&B Sound Ltd. has reason to believe that credit card information belonging to customers who had open, unprocessed orders on the web site may have been obtained and that unauthorized use of that information may have occurred.
The web site, www.absound.ca was immediately shut down by A&B Sound Ltd. pending an internal and police investigation. A&B Sound Ltd. has also retained external computer security experts to assist in the investigation.
A&B Sound Ltd. has emphasized that the security breach is limited to open, unprocessed on-line orders and that the security of credit card information belonging to its retail store customers has not been affected in any way. A&B Sound Ltd.'s on-line orders are dealt with independently of its retail operations. On-line orders represent less than 1% of A&B Sound Ltd.'s business.
A&B Sound Ltd. is in the process of notifying all customers whose credit card security may have been compromised. It is advising them to immediately report this incident to their credit card issuer as a precautionary measure.
If you are receiving this email it is because you had an open, unprocessed order. Anyone who has placed an order from A&B Sound Ltd.'s web site and has not received the product ordered is advised to immediately notify their credit card issuer.
Customer inquiries should be forwarded to [email protected].
A&B Sound Ltd. regrets any inconvenience that this matter has caused its valued customers.

------------------
You Can't Roller Skate In a Buffalo Herd - Roger Miller

 

[Douglas C]

A&B are clearly being less than forthcoming in their "press release". I haven't had an "open unprocessed order" with them in over a year, and yet I received their e-mail warning and saw with my own eyes my credit card info displayed on their site. If ANYONE has EVER placed an order with A&B Sound, their credit card information was probably posted.
This is pretty scary stuff--I'm cancelling my credit card NOW.

 

[alan halvorson]

I have just cancelled both my credit cards - I had no idea which one I used - and what a pain, not the cancelling part, but remembering where I've preordered stuff.
Not a good experience - a real confidence shaker. I will be more cautious in the future.
------------------
You Can't Roller Skate In a Buffalo Herd - Roger Miller

 

[Alex Johnson]

yeah, anyone who has ordered with them in the past should cancel their account. i had to do this last night.

a
------------------
visit neverville

 

[Yumbo]

They cancelled my account a coupel of months ago.
I did not get an email.
The bank doesn't open till tomorrow.
Would my info have been posted too?
Please mail reply.
Thanks.
------------------
Yumbo - IMDVD

 

[Ugo Scarlata]

Chris,
Your credit card company should have a toll-free 24 hour hotline to report such incidents. I suggest you contact them immediately. And yes, your information was probably still on file, even though your account had been closed.

This breach of security is indeed very disturbing. The cracker apparently gained access to their complete customer database, not just unprocessed orders as their press release would have you believe. And to add insult to injury, the cracker went as far as posting the complete database on the site's main page, for the whole world to see! This means that for several hours on Friday morning, anyone visiting the web site could see a list of tens of thousands of credit card numbers, expiration dates and cardholder names.
A&B Sound has been my preferred etailer ever since Express.com went bankrupt, but I doubt I will ever deal with them again, if they ever manage to get back on their feet. Such a thing could happen to any business, of course, but the nature of this particular crack suggests that there might be more to it than meets the eye...
[ Caution: the following is pure speculation! ]
Based on my previous experiences dealing with network security, I get the feeling that the cracker might have had access to this information for quite some time. This individual could have been blackmailing A&B, threatening to publicly post their complete database unless they complied with his demands. A&B might have ignored these demands, prompting the cracker to make good on his threats.
If that is indeed the case (again, this is pure speculation) A&B would have been aware of this breach in security long before the press release was issued. However, they might have unwisely opted to avoid notifying the authorities, and their customers, until the cracker went ahead and posted the complete database on the site's homepage. At that point, there was obviously nothing left to hide, since thousands of web surfers were greeted by a complete, >750 mb list of credit card numbers when visiting the site.
[ End of speculation. ]

 

[Dave N.]

Did this info include expiration dates and all our shipping and billing info?
Yikes,
Dave

 

[Ali B]

I think the above post os true. This thread over at the DVD Forums has the file mounting upto 750mb!
ali

 

[Don Larson]

I also got the notice from A&B. I checked my MasterCard posts online for 5/17 thru 5/23. It didn't appear that there were any unauthorized charges. I then called the bank and had them cancel the card immediately and issue me a new one. This is too bad about A&B--they were a price leader. Due to this security breach, I doubt I will do business with them again, even if they survive (which I also doubt will happen).
------------------
Don

 

[Jeff]

What's the deal with The DVD Forums? You have to register just to read the threads. So I registered and it said my email address is banned!!! HUH!?
Jeff

 

[Gord Lacey]

A&B Sound is a popular B&M store in Western Canada. They will survive this.
I'm actually "happy" this happened because now they may redesign their website. It was the ugliest thing I've ever seen.