Updated Anyvan, the European online marketplace that lets users buy delivery, transport or removal services from a network of providers, has confirmed it was the victim of a digital burglary that involved the theft of customers' personal data.
The company wrote to customers mid-last week to inform them of a "breach of security resulting in the unauthorised access to data from our user database," according to the email seen by The Register.
"This leaking of data came to our attention on the 31st December but we understand the incident itself occurred at the end of September. As soon as the incident came to our attention, our specialist IT team investigated it and have since taken the following remedial action: all passwords have been changed."
The data in question? "Customers' names, email and a cryptographic hash of their password were accessed and 'potentially viewed' but no other personal data was unwittingly shared. A probe of events continues," said Anyvan.
As well as being "very sorry for the inconvenience," the company advised customers who used a password to access their account from April last year to update it immediately and in line with good hygiene to "regularly change your password to accounts that hold your personal data."
Besides changing the passwords, it didn't mention how it would avoid the same incident from re-occurring. It is not known whether the password hashes were salted. Salting is normally done to prevent hash collision attacks - where an attacker tries to find two input strings of a hash function to produce the same result.
El Reg sent a list of questions to AnyVan last week about the compromise of its internal systems, asking how entry was gained; how it has since been ..
Support the originator by clicking the read the rest link below.
