Stolen passwords re-used to attack Best Buy accounts

Customer re-use of the same user name and password across multiple sites is being blamed for attacks on customer accounts at BestBuy.com.
Written by John Fontana, Contributor

After months of Best Buy customers reporting compromised accounts, the company has finally confirmed hackers are attacking its online retail site using credentials stolen from other sites.

It’s a worst-case scenario, where credentials stolen from one site are used to access other sites, most notably retail or banking sites where hackers can extract some value.

The reason that’s possible is users are prone to use the same username and password at multiple sites. In a Washington Post survey last month, 30% of respondents say they use the same password for different websites, such as banking, social networking and shopping.

In the Best Buy case, hackers are testing that theory, according to company officials. The original credential theft may have occurred more than a year ago from a site not affiliated with Best Buy and is now raising its ugly head as hackers log into Best Buy accounts that keep a credit card on file and steal hundreds of dollars in gift cards.

The scenario is the reason users are told not to re-use passwords.

And it’s why the hacking trend of posting on the Internet stolen user names and passwords is alarming, and often means a hack can have multiple phases beyond the initial theft.

Just today, Formspring reported that it reset upwards of 27 million passwords when it discovered 420,000 password hashes they believed belonged to Formspring customers posted to a security forum.

If those hashes are ultimately unscrambled, the real damage for Formspring users could happen down the road in months or even years if they used a password over and over again. In the recent LinkedIn hack, passwords were unscrambled just a short time after being stolen.

Best Buy customers since April have been reporting their usernames and passwords were used by someone to access their accounts and purchase gift cards that were then sent to an email address that did not belong to the user.

On a Best Buy customer discussion board, one user posted an email received from Best Buy asking customers to update their passwords because their credentials, which the company said were not stolen from Best Buy systems, had been used fraudulently.

“We are currently investigating increased attempts by hackers around the world to access accounts on BestBuy.com and other online retailer’s e-commerce sites,” the email said. “These hackers did not take username/password combinations from any Best Buy systems; they appear to be using combinations taken elsewhere in an attempt to gain access to BestBuy.com accounts. …We are taking action now to help protect your account; we have disabled your current password and ask that you take a few minutes to reset it.”

The email included a link for a password reset and asked users to validate personal information.

Susan Busch, Best Buy’s senior director of public relations, confirmed Best Buy sent the email to customers.

“We believe a secondary party gleaned user information and passwords from other online sites and then they’re tapping into us and other retailers to see if people are using their same password across multiple sites,” said Busch.

Last year, Best Buy and other companies were caught up in the hack of Epsilon, an email marketing service provider. Epsilon admitted that it lost user email addresses, but said no personally identifiable information was taken. It was the second time in a month that Best Buy customer email addresses were stolen.

On the Best Buy discussion site, some users reported being hacked but said they were not using a duplicated credential and questioned the Best Buy alert and explanation.

One participant noted:

“That means this is either an inside (Best Buy employee) hack, or this is directly due to the Epsilon hacking that happened last year in 2011. If more reports come in by other customers and they admit they haven’t changed their password in over a year, it could be guaranteed that the Epsilon hack is the culprit.”

See also:

Editorial standards