Kat Hall reports:
Online takeaway service Hungryhouse has reset the passwords of thousands of its customers following an apparent data breach at a third party hosting company.
Scott Fletcher, chief executive of Hungryhouse, said: “We had no affiliation with the web hosting company that was hit by a data breach. But when our head of security noticed that a number of our customers’ details appeared on the list of emails that had been breached, we took the pre-emptive step of asking them to change their passwords.”
One Hungryhouse customer got in touch with The Register to say he had been told by the fast food folk this morning that 10,000 of its customers had had their passwords reset following the breach.
Read more on The Register.
So is this a reset because customers re-used passwords/logins across sites? Sounds like it may be. (See update below).
Update: As I thought, this was a proactive response by Hungryhouse. Thanks to the commenter who pointed us to a statement by Hungryhouse’s CEO elsewhere:
We reacted to a data leak by ‘oooWebhost’. http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/
We have no affiliation, or relationship to them. When the customer list was leaked, we compared this list to ours. If there was an email address match, we deleted the customer’s payment information and reset the password as a precaution. We took this precaution after the Talktalk leak etc.
But wow… if every company starts forcing password re-sets based on email addresses showing up in data dumps, there are going to be a helluva lot of password resets.
Fallout from the 000webhost breach
http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/
See Scott Fletcher’s (CEO of hungryhouse) comment:
http://forums.theregister.co.uk/forum/1/2015/11/27/hungryhouse_password_change/#c_2709419