I’ve heard back from JLAudio, who confirms that they were hacked. A spokesperson for the firm indicates that the hacked database is maintained by a third party vendor whom they declined to name. The site was used by customers to upload pictures of their cars showing their JLAudio systems. The picture gallery has been removed in response to the hack until the data are better secured.
JLAudio has already sent out e-mails to those affected, encouraging them to change their passwords if they re-use passwords across sites or accounts. Here’s a copy of the email, provided to DataBreaches.net by the company:
Dear JL Audio online gallery user:
This morning we became aware of a data breach which resulted in an unauthorized party gaining access to records of users of JL Audio’s online photo gallery, located at http://mobile.jlaudio.com/gallery/index.php. This unauthorized party has maliciously posted these gallery user records on the internet, making the information public. We have taken the gallery down for maintenance until the vulnerability is fixed.
We are informing you immediately so that you can take appropriate actions to protect your user name and password information in the event that you use the same ones for other online sites. We strongly recommend that you change your password on any other site in which you used the same one.
None of JL Audio’s e-commerce databases or dealer databases have been affected, only the online gallery database. No credit card or other financial information has been compromised.
The exact nature of the compromised information is as follows:
Email address (User ID)
Password
First Name (optional)
Last Name (optional)
Address1 (optional)
Address2 (optional)
City (optional)
State (optional)
Zip Code (optional)
Age (optional)
Enter date (Date the gallery was created)We sincerely apologize for this inconvenience and breach of security.
If you have any questions regarding this issue, please feel free to contact me at [email protected]
JL Audio was warned of this vulnerability and did nothing.
So once again, system admins who are too busy shoving donuts in their faces blame someone else for their incompetence, when it gets exposed.
When and how were they warned? And do you know if the warning was transmitted to the firm or contractor who handles their site for them?