Over 21,000 plain text passwords stolen from Billabong

Hackers have released what they claim are the details of over 21,000 user accounts belonging to Billabong customers.
Written by Michael Lee, Contributor

Billabong has joined Yahoo as the latest company that has been found to store its users' passwords in plain text, with hackers claiming to have leaked the system information for Billabong's site and the log-in details for over 20,000 customers.

In a post, placed on a popular code sharing site, hackers claimed to have exposed the root information for Billabong's network, the usernames and passwords for its MySQL databases and information on over 21,000 user accounts.

The user account information included email addresses and passwords, which were stored in plain text. The hackers claimed to have leaked 20,000 to 35,000 accounts, but the list, ordered alphabetically, stops mid-way, at email addresses beginning with "marc". Nevertheless, the information for a total of 21,435 users is now in the wild.

Although the leak appears to contain enough information to cause significant damage to Billabong's servers, the company's site was still standing at the time of writing, even though close to a thousand users had already seen the post. This could indicate that Billabong may have already taken action to change its own passwords.

Billabong has confirmed that its systems were compromised, stating that it was aware that one customer database at Billabong.com was subject to attack.

"At this stage, we understand that the customer database contains personal information of certain customers of the website, but no financial data. We view this attack as an extremely serious matter and have taken urgent action to contain the incident and prevent further attacks occurring. We are continuing to gather information about the incident and to establish the extent and nature of the data that may have been accessed.  We will take further appropriate measures as new information comes to light."

ZDNet understands that Billabong has taken measures to alert the appropriate authorities and regulators responsible in the event of a data breach. In addition, an investigation is currently being conducted to determine what systems were accessed and if any further data was stolen. Billabong has stated it will take further action as it learns more about the situation.

This alleged breach echoes those at Formspring, Yahoo and Phandroid, which occurred in the second half of this week, and, a few weeks prior, LinkedIn, eHarmony and Last.fm was targetted (the latter of which is owned by CBS, the parent company of ZDNet).

The leak of information is already affecting Best Buy, which confirmed that, due to its customers re-using credentials across multiple websites, the breaches had enabled malicious parties to fraudulently purchase gift cards.

Updated at 8.45pm, Friday 13 July 2012: added further comment from Billabong confirming the breach.

Editorial standards