UKH

I was looking in my Gmail spam folder, and there were a number of emails (which I deleted before I thought a bit more of it) which were the usual extortion stuff (we have installed malware on your computer, we hacked your webcam while you watched 'adult' sites, we can send it to all your FB friends unless you send us BitCoin).

The interesting thing was that prominent in the subject line and in the email was a password which they claimed was mine. I use a password manager so it was a random string of characters, but for people who only use a few passwords and are surprised to see one they recognise I can understand people thinking they have been hacked (instead of a website they have used the password in being hacked).

Anyway, I searched my password manager for a site I had used this password in, and there was a site: cordee.co.uk. Since this is a climbing/walking book shop, I thought it might be of interest to people here who might want to reset their password, and if they have used that password elsewhere, stop! Get a password manager and never use the same password in more than one site.

Obviously I have emailed Cordee; it seems the breach is already known on the web to security researchers (but possibly not Cordee):
https://www.breaches.uk/breaches/breach-traded-on-dark-web-cordee-co-uk-156...

I assume they don't know, since failing to report such a breach to both the ICO and their users would be a bad thing...

Thanks for bringing this to our attention. We take this matter very seriously. Prior to GDPR legislation of 2018, we had a user report something similar. As a result, we had IT professionals investigate. No evidence was found of any data theft or breach. We then had IT professional look to see if there were any improvements that could be made in security. All recommendations were implemented to increase the level of security in line with industry standards and we continue to evolve security, as necessary. All passwords stored are encrypted. As another backstop we also set up an email address and password unique to the Cordee website which is monitored.

We contacted the ICO as a matter of course and to seek advice. They deemed it not to be a notifiable breach. Measures such as forced password resets were discussed, but we were advised that this wasn’t necessary.

Be assured that no financial data such as card details are stored or seen by Cordee (we use World Pay to handle payment transactions) Personal data is only stored as long as we are obliged to by law, after which it is made unusable.

As a result of you bringing this to our attention, and as a further precaution, we will now force a password reset for all users who signed up to the site prior to the most recent update and will delete all inactive accounts.

Any queries from yourself or indeed any other users who are concerned should be emailed to info@cordee.co.uk where they will be dealt with as a matter of urgency.

We apologise for any inconvenience caused.

I should add that my password was at least several years old, so could very well have come from the pre-upgrade period.

Once again, the important thing is that you shouldn't use the same password in more than one site!

Terribly good advice. I have a password manager and make up a bunch of random stuff for each. Its free too.