A security alert was issued to all those with an account with Superdrug and Superdrug Mobile that hackers had contacted them claiming they had hacked the website and have the details of 20,000 accounts, Superdrug claim only 186 have been comprimised.
Superdrug have said that no one can get hold of any card information, but they will have details of your name, address and date of birth including your email address, this could be used for other fraud.
Talking with a superdrug advisor he tells us that people with accounts must change their password as soon as they can, however the website to change the password is down.
Action fraud and the police are now aware of the situation, it seems only one hacker has compromised systems, it is thought he has got in by using passwords from other websites, this is why it is important to use a different password on every website.
We asked Action Fraud about this but was unable to tell us anything, although gave us useful information although we already had this.
The full legitimate security alert from the email:
We respect the privacy of your personal information, which is why we are writing to advise you of an event that resulted in the possible disclosure of your personal data, but not including your payment card information.
On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information. There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website. The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386.
Customers’ names, addresses and, in some instances, date of birth, phone number and points balances may have been accessed. In line with good security practice, we are advising you to change your Superdrug.com password now and on an on-going, frequent basis.
We have contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.