Security News > 2022 > October > Store credit card numbers in a debug log, lose millions of accounts. Cost? $1.9m

Online retailer Zoetop will fork out $1.9 million after account data belonging to 46 million customers was stolen in 2018.

About those hashed passwords: "The method Zoetop had used to hash the passwords left them susceptible to password cracking attacks, through which attackers could identify the original, unhashed password," the New York probe found.

Around July 18, 2018, the web giant's payment processor told Zoetop it had been contacted by a major credit card network and another issuing bank "Indicating that system[s] have been infiltrated and card data stolen."

Zoetop hired a cybersecurity firm, which confirmed the exfiltration: some 39 million Shein customers had their account info swiped.

In 2020, after discovering more customer data for sale on the dark web, Zoetop realized seven million Romwe accounts' usernames and passwords had also been exfiltrated in the 2018 theft.

On top of this, according to the NY AG:. In addition to paying $1.9 million to settle the case, Zoetop also agreed to improve its security program to include "Robust" password hashing, network monitoring, vulnerability scanning, and incident response policies.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/14/zoetop_data_breach_fine/