A server containing a database holding customer information pertaining to various UK-based online fashion retailers was discovered to be insecure after it was breached by a white-hat hacker on 9 July.
Third-party IT and e-commerce services provider Fashion Nexus, which manages the server in question, disclosed in an online notification that roughly 922,000 unique email addresses were left exposed by the server — although 280,000 of these addresses had been previously exposed "by audit processes in brute force login attempts from external unrelated already-breached email lists."
However, security expert Graham Cluley reported a higher number, writing in a 30 July blog post that the faulty server exposed data on approximately 1.3 million shoppers.
Fashion Nexus's clients Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags,and Traffic People — all apparel and accessories merchants — are affected. Cluley reported that DLSB was impacted as well, but Fashion Nexus contended that this retailer's data was not taken.
Potentially exposed data includes salted password hashes, names, birth dates, email addresses, phone numbers, and some shipping addresses, but not financial information.
Crediting the insecure server's discovery to ethical hacker Taylor Ralston, Cluley said it is unclear what the cause of the breach is. However, Fashion Nexus's statement did briefly refer to an unspecified bug, noting, "The breach was quickly identified and the vulnerability removed." The company also said that the Information Commissioner's Office (ICO) was informed of the incident.
Additionally, Cluley reported that Fashion Nexus' sister company White Room Solutions told him that "the breach was via a site that has subsequently been taken down and is considered resolved."