|Credit: Olivier Le Queinec/Shutterstock.com|
Video-streaming service and Wal-mart subsidiary Vudu said this week it was the victim of a data breach last month and was resetting customers' passwords as a result.
The breach, however, didn't occur in the manner you might expect.
Instead of gaining entry to Vudu's network, the company said in a statement, burglars actually broke into the firm's Santa Clara, Calif., headquarters and strolled out with several hard drives, along with other hardware.
It's not clear whether the hard drives were the intended targets for theft, or were just scooped up indiscriminately as part of a bigger haul.
The hard drives contained sensitive customer information, including names and addresses, birth dates, email addresses and account activity.
Also included were encrypted, or "hashed," passwords and partial credit-card numbers — specifically, the last four digits of card numbers.
Vudu stressed that customers' full credit-card numbers were not stored on the stolen drives.
Only those customers who access Vudu directly through Vudu.com are affected. Even though the stolen passwords were encrypted, Vudu thinks it's safest to start from scratch.
"We are proactively retiring and resetting all passwords and notifying all customers," the company said. "As another level of protection for customers, we are also providing AllClear ID identity protection services. We reported the theft to law enforcement immediately, and are cooperating fully with their investigation."
The company didn't disclose what sort of encryption was used to secure the passwords. Several common encryption algorithms are particularly susceptible to password crackers, who keep databases with precompiled hashes of every word in the dictionary.
Vudu said it has new rules in place to require that customers create stronger passwords. Not all affected customers have yet been notified directly.
Although Vudu ended up doing the right thing by publicly notifying their customers, the notice came more than two weeks after the March 24 break-in.
"We provided notification the day after law enforcement lifted their request to delay," the company said.