digg

Facebook Connect Join Digg About

Geeks.com Website Hacked, Customer Data Stolen

consumerist.com If you used a Visa card at Geeks.com in the past year or so, check your statements! On Jan 4th. the company sent out an email to customers alerting them that sometime last month there was a security breach on their e-commerce site.

Who dugg this? Made popular Jan 8, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

88 Comments

show profanity settings
expand all
  • Vhaeos, on 01/08/2008, -0/+88They have a hacker safe button, how is this possible?
  • inactive, on 01/08/2008, -1/+27wouldn't they be breaking pci compliance by storing enough of your credit card info to make it useful to whoever stole it? It also says the cvv's were stolen ... thats a big no-no .. I think they will be getting fined soon
  • inactive, on 01/08/2008, -0/+20From Computer World:
    ScanAlert says its vulnerability scanning service is designed to constantly monitor Web sites for vulnerabilities that could compromise customer data. The service is used by more than 250,000 Web sites, of which about 80,000 -- including Geeks.com -- display ScanAlert's "Hacker Safe" seal. ScanAlert describes the seal as a "trustmark" that is designed to help reassure consumers about a site's security precautions.
    However, Nigel Ravenhill, a ScanAlert spokesman, said today via e-mail that the vendor had withdrawn the Hacker Safe certification from Geeks.com "several times" last year due to the existence of vulnerabilities in the retailer's systems. Geeks.com fell out of compliance with ScanAlert's security requirements last June and then again in December, according to Ravenhill.
    During these periods, the Hacker Safe seal was not allowed to appear on their Web site," Ravenhill wrote in the e-mail. "Preliminary evidence uncovered while investigating this matter suggests that the breach most likely occurred during one of these periods."
    He added that each time ScanAlert withdrew its certification, "Geeks.com's IT staff worked diligently to fix the problem. As of today, Geeks.com is meeting the Hacker Safe security standard."
    ScanAlert conducts daily security audits to certify that its clients comply with the requirements of the Hacker Safe seal, Ravenhill noted. "As long as the standard is met on a daily basis, ScanAlert will continue to allow a date-stamped image to appear on the client's Web site," he wrote.
  • smacksaw, on 01/08/2008, -1/+18Clear
  • enclaved, on 01/08/2008, -0/+15I've ordered from them a few times and I never received such an email... apparently like several people in the comments of the article.
  • inactive, on 01/08/2008, -2/+16I was thinking the same thing. Why would a company need to store our credit card info for?

    The customer identity and some stats about previous orders I can understand. But CC number? Customer will provide his damn CC number when they need it. Some heads should roll over that. Lock those ***** in prison!
  • EBFoxbat, on 01/08/2008, -5/+18Screwed
  • rdaly92, on 01/08/2008, -4/+16ahhh the irony
  • D4CH, on 01/08/2008, -0/+12I bit in the middle of the above two comments is my suggestion.
  • bowens44, on 01/08/2008, -1/+12Wow. What a stupid comment.
  • dood, on 01/08/2008, -0/+9"Preliminary evidence uncovered while investigating this matter suggests that the breach most likely occurred during one of these periods."
    He had better be able to back that up with some public logs and the dates of the breaches.
  • dood, on 01/08/2008, -0/+8Amazon and Paypal store credit card numbers, among many other sites. The problem is storing the CVV -- that's forbidden.
  • CrackyJSquirrel, on 01/08/2008, -0/+7Ewwwww gross. I feel dirty now just going to that site..
  • r00tus3r, on 01/08/2008, -0/+7Hey, let's try to keep the 'clear' and 'screwed' comments equal on diggs! That'll confuse the hell out of poor timmy.
  • keegster, on 01/08/2008, -0/+7Thats odd...you can still buy stuff. You'd think if they got hacked, they'd stop all purchase orders for a while until things get fixed.
  • bsmang, on 01/08/2008, -0/+6So having a hacker-safe button on your site is good, until it disappears and lets everyone know you have a gaping hole somewhere.
  • sheepster, on 01/08/2008, -2/+8PLEASE NOTE: These numbers will be active beginning on Tuesday, January 9, 2008. - is that today or tomorrow?
  • balazsbela, on 01/08/2008, -1/+7Displaying a "Hacker Safe" seal is like an invitation.
    I bet h4x0rs like challenges.
  • Shaggy63, on 01/08/2008, -0/+6Was the .com built in 24 hrs?
  • bsmang, on 01/08/2008, -0/+6And certainly an invite when it's usually there and then it disappears! I can just imagine the jump in activity of researching latest-found vulnerabilities when that happens.
  • greyghost487, on 01/08/2008, -0/+5Hacker Safe is such a joke. they charge $2,000 a year for you to display the logo. The vulnerability scanning isn't any different than the Nessus scan reports you get with most leased servers for free. Basically the logo is a selling tool (and their aggressive sales folk remind you that several times)
    Hacker Safe is a marketing scheme nothing more, and from a security stand point is counter productive for server admins. Your hacker safe logo (err, "certification") is yanked away if there is a vulnerability basically flagging hackers saying "HEY! COME HACK ME!!!"
  • johnholden, on 01/08/2008, -0/+5I've bought from Geeks before, and I ALWAYS unchecked the "save my credit card info" option... partly because the site just seemed like one that might be compromised. Now I'm glad I did.
  • mikehill33, on 01/08/2008, -0/+5hacker safe = *****.
  • BigJStudd, on 01/08/2008, -1/+6Shhh, don't look behind the curtain.
  • fadedangel, on 01/08/2008, -0/+5nto a bad response mind u. i've seen worse!
  • tange1, on 01/08/2008, -0/+5If you call Geeks.com they read you a generic line about how 'an unauthorized user gained access to there commerce website'. If you actually have a question about any of this they will just direct you to call their legal counsel at 312-873-7472
  • dampeal, on 01/08/2008, -0/+5hrmm... I just bought 3hdds from them in September.. they never sent me an email about this....
  • sega01, on 01/08/2008, -2/+7`curl -I geeks.com` gives:
    HTTP/1.1 200 OK
    Date: Tue, 08 Jan 2008 14:37:19 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET

    There's the problem ;-).
  • Goobernutz, on 01/08/2008, -0/+4Amen to that brotha!
  • byronm, on 01/08/2008, -0/+4Thumbs up for your. Storing the CVV is "illegal" however many merchants store the CC number until the order is complete and then purge. That way they can do an authorize when order and charge when ship because you can also get in trouble if you don't delivery goods in x amount of days after the charge. (will get lots of chargebacks) It has its risks and its benefits - hacker safe hosts a good PCI compliance self-audit and if geeks.com hadn't stuck to what they said it isn't the fault of hacker safe.
  • oblivinated, on 01/08/2008, -0/+4Thought it was thinkgeek.com for a second. Phew~
  • munky100, on 01/08/2008, -1/+5https://www.scanalert.com/RatingVerify?ref=www.gee ...
    what a joke!
  • timothy53, on 01/08/2008, -2/+5I payed using paypal, it is linked to my account, i have a visa card? Am i screwed or in the clear?
  • inactive, on 01/08/2008, -0/+3I guess Bullies.com is at it again
  • Awall, on 01/08/2008, -3/+6You are in the clear. As much as I hate paypal, it is pretty much the safest way to pay for anything online. None of your critical paypal or credit card data was ever put on the geeks.com server.
  • thailand1972, on 01/08/2008, -0/+3they store credit card info? Bad. They don't use a payment gateway? Bad.
  • thailand1972, on 01/08/2008, -0/+3having it there in the 1st place is like saying "come on hackers if you think you're hard enough"
  • oldhick, on 01/08/2008, -0/+3I was thinking the same thing! What a lame comment to make seeing how he does NOT have access to any of those logs.
  • CrackyJSquirrel, on 01/08/2008, -0/+3It is definitely against PCI compliance. Things like credit card numbers and socials are usually double encrypted, but need to be decrypted. So the resources to do the decryption can be found somewhere in the network. The double encryption, and how it is implemented is merely there to help deter the intruder. As long as they can find what you are using for encryption, they can reverse engineer and decrypt everything. But, regardless of that, if they are in thumbing around on your network and in your database you are ***** either way. It all comes down to how meticulous you were in your PCI compliance and how long you can delay the hacker, giving you time to detect them and shut them down.

    Also, who know what level of PCI compliance they were in at the moment. Like my company is just finishing up the last stages of our PCI compliance, which took us all year to ramp up.

  • optize, on 01/08/2008, -0/+3Companies store it to make it easier for you to shop there again. 'Use card on file when ordering' etc..

    PCI (Visa/Mastercard) requires that the credit card must be encrypted, but they also require that the CVV2 is never stored.

    So it looks like they didn't pay attention to PCI at all, and now they will be fined for it. Plus, if you get hacked you will become a Tier-1 merchant now with PCI and they will do on-site visits to make sure you are kept up to date on your security.

  • najdorf, on 01/08/2008, -0/+2They can't get his money from paypal as merchants don't get the paypal password.
  • forcedfx, on 01/08/2008, -0/+2Yet another reason why I always use a ShopSafe number online.
  • gropo, on 01/08/2008, -0/+2I'm confused... No mention of "dopey liberals" anywhere in this post.

    Also confused: you obviously aren't employed (the trolling digg political opinion threads all day thing), yet you can purchase electronics?
  • optize, on 01/08/2008, -0/+2HackerSafe will show you are SAFE if you only have them scan some of your network. So let's say you have 15 web servers + 10 database servers, but you only have HackerSafe check a few.... If those few are good, they will consider your site safe, however there's still other entries to get into the network.

    Plus, there's always internal break-ins (pissed off employees, etc). Most companies have an internal network to look at customer data, which might have been hacked instead of the 'customer facing' ordering system.
  • theratdotus, on 01/08/2008, -1/+3i just bought a vizio from them! yoooooooooooo wtf
  • 0ceanic, on 01/08/2008, -0/+2go back to aol
  • gdfwilliams, on 01/08/2008, -0/+2I'm a long time Geeks.com customer, but didn't receive an email. I just called their 800 number and heard that the data of 650 customers is presumed to have been stolen. The rep wasn't sure who got emails and who didn't. I know I did not. The breach was on December 5.
  • optize, on 01/08/2008, -0/+2It's against PCI to store the CVV2 numbers. They'll have fun with Mastercard and Visa breathing down their necks.
  • duckyinc, on 01/08/2008, -2/+4what irony? hackers are geeks but geeks aren't hackers
  • soupyc, on 01/08/2008, -0/+2You really don't know what site you're posting on do you?
  • Fetching more discussions...
    Show 51 - 86 of 86 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.