VUDU warns customers after user data stolen in burglary

Posted on by Dissent

Damon Poeter reports that streaming video provider, VUDU, has been notifying users after user data was on a hard drive stolen during an office burglary:

Vudu notified users that a break-in at its offices on 24 March compromised users’ personal information and account activity, warning customers to be on the lookout for “spam email, emails asking for personal information, or emails asking you to click on links to other websites” as a result.

The streaming video provider said “a number of items were stolen, including hard drives” during the burglary of its Santa Clara, California-based offices. Vudu informed customers in an email message that it was implementing a system-wide password reset because the hard drives contained user emails, addresses, account activity, dates of birth, and in some cases, credit card information.

Read more on ItProPortal.

VUDU has also posted an FAQ about the breach that provides a bit more detail on the data types involved:

Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. If you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. Therefore, we have reset all customer passwords.

Addendum: Text of VUDU’s email to users, provided to this site by a reader:

Date: Tue, 09 Apr 2013 14:43:26 -0600
From: “VUDU, Inc.”
Reply-To: “VUDU, Inc.”
To: [redacted]
Subject: Important Information Regarding Your VUDU Account.

Dear [redacted],

We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.

Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.

While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. So we think it’s best to be proactive and ask that you be proactive as well.

SECURITY PRECAUTIONS:

If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the “Sign In” button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.

As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.

As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.

Thank you,

Prasanna Ganesan
Chief Technology Officer, VUDU
VUDU.com | Support | Sign In
Please also note that this email inbox is not monitored. To contact us, please visit vudu.com/support.html

Security & Privacy
VUDU protects your security and privacy. We will never ask for personal information (such as passwords or payment information) in an email Postcard. If you receive such a request, please do not respond to the email. See our Privacy Policy

VUDU, Inc., 2980 Bowers Ave. Santa Clara, CA, 95051, UNITED STATES © 2013 VUDU, Inc. All rights reserved.

Category: Breach IncidentsBusiness SectorTheftU.S.