As you’ve most likely seen, data breaches and leaks are happening at an alarming rate – especially this year. Some are massive and others much smaller in comparison; many are deliberate while a number of them are due to a weakness in site security or a simple bug.
Regardless of how big or the cause, those breaches and leaks are often dealt with swiftly. But those fixes aren’t always quick, and sometimes your information is open and accessible for lengthy periods of time without you even knowing about it.
That’s what happened late this year, and if you ordered jewelry from Jared or Kay Jewelers, some of your information was shockingly easy to find. The issue has been rectified, but it’s unclear how long your data was exposed.
Order information available for anyone to see
It didn’t take long for Brandon Sheehy to realize there was a problem. The Dallas-based web designer had just bought a pair of earrings online as a surprise gift for his girlfriend when he noticed the issue with his emailed receipt from the jewelry retailer Jared. He found that when he slightly modified the link in the email and pasted it into a web browser, he could access another customer’s order. And it wasn’t just basic information.
Sheehy was able to view the other customer’s name, billing and shipping addresses, email address, phone number, the items that were ordered along with the total cost, a tracking link, delivery date and last four digits of the customer’s credit card.
Bonus tip: New ways to come up with a secure password
“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” Sheehy told KrebsOnSecurity. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”
So he contacted Jared’s parent company, Signet Jewelers, alerting them to the issue and asking that they fix the bug allowing the exposure. Problem solved, right? Not so fast.
Weeks of waiting and no solution
After weeks of seemingly no resolution, Sheehy reached out to KrebsOnSecurity, which investigates computer and online security issues. That’s when Signet responded.
Signet’s chief information security officer said the problem was fixed for all future orders shortly after being contacted by Sheehy. But they didn’t realize at the time that the issue also applied to all past and future orders as well.
The fix now applies to all orders.
What orders were impacted
The bug exposed information for orders placed online at Jared and Kay Jewelers, which are both owned by Signet. The company also owns other brands, including Zales and Piercing Pagoda, but the problem did not affect those sites.
This is similar to a weakness found at PaneraBread.com earlier this year, that exposed millions of customer names and other information. That leak, from first report to resolution, took about eight months to correct.
If you were impacted, what to do next
If you ordered at all from either of these sites, your information was probably exposed. Here are some steps you should take right now.
- Investigate your email address – Have I Been Pwned is an easy-to-use site with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest hacks and exposures.
- Change your password – Whenever you hear news of a data breach, it’s a good idea to change your account passwords. Read this article to help you create hack-proof passwords.
- Close unused accounts – Here’s an easy way to manage all of your online accounts at once.
- Beware of phishing scams – Scammers will try and piggyback on breaches like this. They will create phishing emails, pretending to be the affected company, hoping to get victims to click on malicious links that could lead to more problems. Take our phishing IQ test to see if you can spot a fake email.
- Manage passwords – Many people use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you’re using the same credentials on multiple sites, change them to make them unique. If you have too many accounts to remember, you could always use a password manager.
- Keep an eye on your bank accounts – You should be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately.
- Check email security settings – Make sure the email account associated with the hacked site has updated security settings.
- Have strong security software – Protecting your gadgets with strong security software is important. It’s the best defense against digital threats.