Jump to content


Photo

Security Leak


  • Please log in to reply
15 replies to this topic

#1

90f9c4e383bb9ed3c95a09a835cfd245
  • 90f9c4e383bb9ed3c95a09a835cfd245
  • Rookie

  • posts 1

Posted 09 November 2018 - 11:47 AM

This user is banned!

https://www.reddit.c...ecurity_issues/

 

Can anyone advice on this?

 

PSA: computerlounge.co.nz has security issues.
 
renderTimingPixel.png

If you have an account there you should delete or falsify your data, otherwise it can be stolen. Data that may be included; full name, email, company, day phone, mobile phone, order history and addresses. Before anyone asks, yes, I've tried contacting then since May and nothing has changed. It is quite likely that many of you are sceptical, so if someone known in this sub has an account there and wants to verify with me they can private message me.



#2

LinuxUser
  • LinuxUser
  • PriceSpy

  • posts 8,943

Posted 09 November 2018 - 07:01 PM

Well, reading that Reddit thread I'm thoroughly disgusted with them. First, for their lack of response until the authorities were notified (I mean, they managed to fix it within a week – there is absolutely no excuse for not fixing it in the previous 5+ months), which shows they don't care in the slightest about the security of their customers' data. Second, the attitude that shows towards their customers – obviously they don't care about them at all, but simply about the money they can get from them. And thirdly, they haven't notified me that my data could have been compromised.

 

Their website does say they've fixed it, and the Reddit thread hints that it might have been (but does not confirm it). Therefore I would say there is no need to worry about it now.

 

But with that attitude I would definitely not be recommending them to anyone, but in fact would recommend avoiding them if at all reasonable to do so. Personally I will not be buying from them any time soon due to this...


  • 152c1486875e323896ced9408a4b27a6 likes this

Recommended Power Supplies Recommended review sites Why stores shouldn't be removed RAM voltage

i5 7400, Gigabyte GA-B250M-D3H, 16 GB DDR4, integrated graphics, Adata XPG SX8200 480 GB (NVMe), 3x Kingston SSDNow KC380 120 GB, Corsair MX100 128 GB, Spinpoint F3 1TB HDD, DVD writer, all inside a wood case I built, Dell U2412M 24", U2311H 23" IPS and Philips 150B4 15" monitors, wood-bodied mouse, Dvorak keyboard, openSUSE Tumbleweed, Windows 8.1 Pro in a VB VM inside Linux

I may occasionally give advice regarding (consumer) law, but it is only my opinion based on my reading – I am not a lawyer.

Romans 3:23; 6:23; 5:8; 10:9-10,13


#3

Republican
  • Republican
  • Apprentice

  • PipPipPip
  • posts 311

Posted 09 November 2018 - 11:31 PM

they did send me an email about the breach.

 

the worse part is all the past orders are on the site in plain text so even if you did change the user info it would have been pointless,

phone numbers are mandatory.

 

this is one of the reasons why i like to use a nickname or name of my pet when ordering anything online.


Edited by Republican, 09 November 2018 - 11:33 PM.

  • LinuxUser likes this

#4

LinuxUser
  • LinuxUser
  • PriceSpy

  • posts 8,943

Posted 10 November 2018 - 09:05 AM

Interesting, maybe they only notify those they think might have been affected...

 

But yeah, it's pretty bad.


Recommended Power Supplies Recommended review sites Why stores shouldn't be removed RAM voltage

i5 7400, Gigabyte GA-B250M-D3H, 16 GB DDR4, integrated graphics, Adata XPG SX8200 480 GB (NVMe), 3x Kingston SSDNow KC380 120 GB, Corsair MX100 128 GB, Spinpoint F3 1TB HDD, DVD writer, all inside a wood case I built, Dell U2412M 24", U2311H 23" IPS and Philips 150B4 15" monitors, wood-bodied mouse, Dvorak keyboard, openSUSE Tumbleweed, Windows 8.1 Pro in a VB VM inside Linux

I may occasionally give advice regarding (consumer) law, but it is only my opinion based on my reading – I am not a lawyer.

Romans 3:23; 6:23; 5:8; 10:9-10,13


#5

Sury
  • Sury
  • Wannabe

  • Pip
  • posts 48

Posted 12 November 2018 - 08:39 AM

I got an email from Computer Lounge about this... so guess my account was affected. = (

 

What would be a real joke is if Computer Lounge gets shop of the year 2018.

 


Corsair 750D | Asus Z97 Deluxe(NFC & WLC) | Intel i7 4690K | Corsair Dominator Platinum 16GB DDR3 | Gigabyte G1 980TI | Samsung 840 256GB | Samsung 850 Evo 500GB | WD Blue 1TB | Sound Blaster Z | Corsair AX1200i | Noiseblocker BlackSilent Pro Fans
Custom Water Cooled: EK GPU Block | Koolance 380i CPU Block | Bitspower Fittings | Bitspower 150 Upgrade Kit | Bitspower D5 Mod Top | Bitspower D5 Mod Kit | SwifTech D5 Pump | PrimoChill Compression Fittings | Primochill PETG Tubing


#6

152c1486875e323896ced9408a4b27a6
  • 152c1486875e323896ced9408a4b27a6
  • Rookie

  • posts 3

Posted 13 November 2018 - 10:41 AM


This user is banned!


We would like to inform our customers of a vulnerability in our website that may have been exploited to extract certain customer information. At this stage we do not know the full extent of the data leaked, but we are currently working with a team of data forensics specialists to determine this.

 

We have notified the Privacy Commission, CERT NZ, as well as the Police, and we are working with them to ensure that the correct steps are being taken to minimise any impact for our customers.

 

Sincerely,

Computer Lounge

 

 

 

How much of customer details have been leaked? Delete your account immediately!

 

https://www.reddit.c...ecurity_issues/



#7

DZander
  • DZander
  • Wannabe

  • Pip
  • posts 43

Posted 13 November 2018 - 10:47 AM

Nice timing with shop of the year just announced too.



#8

152c1486875e323896ced9408a4b27a6
  • 152c1486875e323896ced9408a4b27a6
  • Rookie

  • posts 3

Posted 13 November 2018 - 11:00 AM

This user is banned!

spread the word to friends and family. Delete your account this site is not safe!



#9

LinuxUser
  • LinuxUser
  • PriceSpy

  • posts 8,943

Posted 13 November 2018 - 02:42 PM

This user is banned!


We would like to inform our customers of a vulnerability in our website that may have been exploited to extract certain customer information. At this stage we do not know the full extent of the data leaked, but we are currently working with a team of data forensics specialists to determine this.

 

We have notified the Privacy Commission, CERT NZ, as well as the Police, and we are working with them to ensure that the correct steps are being taken to minimise any impact for our customers.

 

Sincerely,

Computer Lounge

 

 

 

How much of customer details have been leaked? Delete your account immediately!

 

https://www.reddit.c...ecurity_issues/

 

 

Thanks. This had already been posted in another thread, and I should have split it out into its own. I've done that now by moving those posts in here.

 

This user is banned!

spread the word to friends and family. Delete your account this site is not safe!

 

It wasn't, but that was over a week ago. I'm pretty sure it is safe now. And can you even delete your account anyway? I can't see any way to.


Recommended Power Supplies Recommended review sites Why stores shouldn't be removed RAM voltage

i5 7400, Gigabyte GA-B250M-D3H, 16 GB DDR4, integrated graphics, Adata XPG SX8200 480 GB (NVMe), 3x Kingston SSDNow KC380 120 GB, Corsair MX100 128 GB, Spinpoint F3 1TB HDD, DVD writer, all inside a wood case I built, Dell U2412M 24", U2311H 23" IPS and Philips 150B4 15" monitors, wood-bodied mouse, Dvorak keyboard, openSUSE Tumbleweed, Windows 8.1 Pro in a VB VM inside Linux

I may occasionally give advice regarding (consumer) law, but it is only my opinion based on my reading – I am not a lawyer.

Romans 3:23; 6:23; 5:8; 10:9-10,13


#10

Sury
  • Sury
  • Wannabe

  • Pip
  • posts 48

Posted 14 November 2018 - 08:28 AM

There is no way to delete your account, there is also no option either to request what data that Computer Lounge are keeping.

 

Under the GDPR rules, any person with a EU Passport has the right to request their data and also be able to delete there account.

Technically Computer Lounge can get in trouble from the EU if someone complained to them about it.

 

The only thing Computer Lounge did right was let customers know about the situation... but even then not all customer may have been notified so... they would be in breach of GDPR rules as they needed to inform all of their customers.


  • 152c1486875e323896ced9408a4b27a6 likes this

Corsair 750D | Asus Z97 Deluxe(NFC & WLC) | Intel i7 4690K | Corsair Dominator Platinum 16GB DDR3 | Gigabyte G1 980TI | Samsung 840 256GB | Samsung 850 Evo 500GB | WD Blue 1TB | Sound Blaster Z | Corsair AX1200i | Noiseblocker BlackSilent Pro Fans
Custom Water Cooled: EK GPU Block | Koolance 380i CPU Block | Bitspower Fittings | Bitspower 150 Upgrade Kit | Bitspower D5 Mod Top | Bitspower D5 Mod Kit | SwifTech D5 Pump | PrimoChill Compression Fittings | Primochill PETG Tubing


#11

152c1486875e323896ced9408a4b27a6
  • 152c1486875e323896ced9408a4b27a6
  • Rookie

  • posts 3

Posted 14 November 2018 - 09:09 AM

This user is banned!

Computer Lounge were notified by email of the vulnerability and said "we know of the problem and it's on their list of things to do" - NOT GOOD ENOUGH! All customers at a minimum should have received an email immediately along with an option to delete their account. As you say still no option to delete your information from a website that has extremely weak security. 



#12

LinuxUser
  • LinuxUser
  • PriceSpy

  • posts 8,943

Posted 14 November 2018 - 10:19 AM

There is no way to delete your account, there is also no option either to request what data that Computer Lounge are keeping.

 

Under the GDPR rules, any person with a EU Passport has the right to request their data and also be able to delete there account.

Technically Computer Lounge can get in trouble from the EU if someone complained to them about it.

 

The only thing Computer Lounge did right was let customers know about the situation... but even then not all customer may have been notified so... they would be in breach of GDPR rules as they needed to inform all of their customers.

 

Computer Lounge doesn't care about the GDPR as they don't target Europe. Pretty much the worst that would happen is the EU could block them...

 

And I still haven't been notified. OK, the last time I bought from them was 2015, but that's not a reason to not notify me.

 

This user is banned!

Computer Lounge were notified by email of the vulnerability and said "we know of the problem and it's on their list of things to do" - NOT GOOD ENOUGH! All customers at a minimum should have received an email immediately along with an option to delete their account. As you say still no option to delete your information from a website that has extremely weak security. 

 

A few days ago their site had a message saying that the breach had happened, and implied that it had been fixed. For some reason they've taken that down – but probably because they're too scared it'll impact their bottom line rather than because the security issue is ongoing. But there is definitely the possibility that their site has other security issues. And if you can provide evidence that the issue is still there, I'm more than willing to accept it.


Recommended Power Supplies Recommended review sites Why stores shouldn't be removed RAM voltage

i5 7400, Gigabyte GA-B250M-D3H, 16 GB DDR4, integrated graphics, Adata XPG SX8200 480 GB (NVMe), 3x Kingston SSDNow KC380 120 GB, Corsair MX100 128 GB, Spinpoint F3 1TB HDD, DVD writer, all inside a wood case I built, Dell U2412M 24", U2311H 23" IPS and Philips 150B4 15" monitors, wood-bodied mouse, Dvorak keyboard, openSUSE Tumbleweed, Windows 8.1 Pro in a VB VM inside Linux

I may occasionally give advice regarding (consumer) law, but it is only my opinion based on my reading – I am not a lawyer.

Romans 3:23; 6:23; 5:8; 10:9-10,13


#13

6b309b2a8730f82ce95512b73933a6b6
  • 6b309b2a8730f82ce95512b73933a6b6
  • Rookie

  • posts 1

Posted 16 November 2018 - 12:35 PM

This user is banned!

I think you would be crazy to use Computer Lounge after what has come to light regarding the vulnerability and potential loss of customer information and the fact that they were made aware of the fault and did nothing about it for 6 months until they were called out about it.


  • f7b4e7daabf82a61977910cdeecb9224 likes this

#14

Jexla
  • Jexla
  • Amateur

  • PipPip
  • posts 55

Posted 18 November 2018 - 12:59 PM

I think you would be crazy to use Computer Lounge after what has come to light regarding the vulnerability and potential loss of customer information and the fact that they were made aware of the fault and did nothing about it for 6 months until they were called out about it.

I personally agree, but the way you're harping on about it makes you sound like a PBTech or other shill.


There is no way to delete your account, there is also no option either to request what data that Computer Lounge are keeping.

 

Under the GDPR rules, any person with a EU Passport has the right to request their data and also be able to delete there account.

Technically Computer Lounge can get in trouble from the EU if someone complained to them about it.

 

The only thing Computer Lounge did right was let customers know about the situation... but even then not all customer may have been notified so... they would be in breach of GDPR rules as they needed to inform all of their customers.

This is silly, an email to their publicized email address is an option to request their user data.
So they can request the data, there's just no special link for it, just like there isn't on any other store that's listed on this site. /derp


  • LinuxUser likes this

#15

Sury
  • Sury
  • Wannabe

  • Pip
  • posts 48

Posted 19 November 2018 - 08:47 AM

I personally agree, but the way you're harping on about it makes you sound like a PBTech or other shill.


This is silly, an email to their publicized email address is an option to request their user data.
So they can request the data, there's just no special link for it, just like there isn't on any other store that's listed on this site. /derp

 

Yes you are correct Jexla, can send an email and get saved data.

Being a Web Developer I automated the whole process with the GDPR data request and account deletion, for my clients online stores.
Having a link is the smarter way to go, as then there is no involvement/time required by the company to look up details and then send it to their customer.  Business cap on.. time is $$$.

 

On a side note... funny enough on 1 of my client's stores which ships internationally, I noticed all of the people that requested their data that is being saved have only been Kiwis and Aussies so far.

 

Personally I think the GDPR is a bit over the top, it's fine within Europe... but it shouldn't be worldwide.

But GDPR rules are in place and it is a lot be better to be safe and provide links than to be hit with a fine.


Corsair 750D | Asus Z97 Deluxe(NFC & WLC) | Intel i7 4690K | Corsair Dominator Platinum 16GB DDR3 | Gigabyte G1 980TI | Samsung 840 256GB | Samsung 850 Evo 500GB | WD Blue 1TB | Sound Blaster Z | Corsair AX1200i | Noiseblocker BlackSilent Pro Fans
Custom Water Cooled: EK GPU Block | Koolance 380i CPU Block | Bitspower Fittings | Bitspower 150 Upgrade Kit | Bitspower D5 Mod Top | Bitspower D5 Mod Kit | SwifTech D5 Pump | PrimoChill Compression Fittings | Primochill PETG Tubing


#16

DZander
  • DZander
  • Wannabe

  • Pip
  • posts 43

Posted 30 November 2018 - 09:09 AM

Has anyone else been notified?

 

I've asked if my data was hacked and all I got was an invite to vote for them as store of the year.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users