Skip to content ↓ | Skip to navigation ↓

CeX has notified up to two million customers about an online security breach that might have compromised their personal data.

On 29 August, the second-hand goods chain that specializes in computer and video games announced it had suffered a security event. As quoted in a statement posted to its website:

“We have recently been subject to an online security breach. We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.”

Out of an abundance of caution, CeX told upwards of two million of its customers that the breach might have compromised their personal information. Those vulnerable pieces of information include customers’ names, email addresses, physical addresses, phone numbers, and “encrypted data from expired credit and debit cards up to 2009.” The company says it stopped storing financial information in 2009, so even if an attacker stole that data, they couldn’t monetize it in any way.

That CeX stores expired financial information and doesn’t just delete it struck Javvad Malik as odd. As quoted by BBC News:

“It’s surprising that Cex still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details.”

Later on in its statement, the company urged customers to change their passwords for webuy.com, a marketplace it runs where members buy and sell electronic goods. CeX says it didn’t store users’ passwords in plaintext. But it appears they’re still at risk of hacking attempts.

Here’s what the company said about the matter:

“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.”

Such a warning has left many users and members of the security community confused. Some wonder why the company didn’t issue a mandatory password reset instead of asking users to change their passwords. Others have contacted the chain to understand how CeX stores users’ passwords.

While researchers endeavor to learn more about what exactly happened in the breach, CeX revealed it’s hired a “cyber security specialist” and implemented additional security measures to prevent similar incidents from occurring in the future.

News of this incident follows more than two years after live streaming video platform Twitch suffered a breach.