Behind the scenes
New: Two-factor authentication for your user account
by Thierry Pool
No, digitec and Galaxus were not hacked
3.10.2019
Translation: machine translated
Co-author: Christopher Holder, Cédric Bürke
Passwords have been automatically tried out on hundreds of thousands of digitec and Galaxus customer accounts. Unfortunately not the first time. It's not hackers at work, but criminals. There's not much we can do - but you can!
Last Monday was unfortunately not a normal Monday morning. When the security crew's computers were booted up, there was an adrenaline rush. A message pops up in the monitoring system: Attention - anomaly with failed logins. The pulse rises, the keyboards rattle, a few expletives echo through the office.
A quick check with the monitoring tool confirms the bad premonition: cyber criminals have been at work in the dark and have been credential stuffing. A task force is quickly set up to analyse the data.
What is credential stuffing? It is quite simple and does not require a great deal of knowledge. The attacker obtains large lists of password and user name combinations on the darknet that have been stolen in hacks of websites from all over the world.
Criminals exploit laziness
Unfortunately, many users always use the same password for their various logins - together with the email address or the same username, internet fraudsters have an easy game. They test the stolen combinations on various websites and save the successful logins in a list. The list is then sold on or misused directly for fraudulent purposes.
The criminals cannot have parcels sent abroad. The police would be involved in the delivery of parcels to Swiss addresses. The criminals therefore use the hijacked accounts to buy software licences. The licence keys are then offered on relevant websites.
These attacks are not commonplace, but they are also nothing new. That is why we have published articles in the past on how to set a secure password. We have also been offering two-factor authentication since 2017.
Little damage, a lot of trouble
In the current case, the analysis revealed that several thousand customer accounts had been successfully accessed. Credit notes in the accounts of 40 of them were used to buy software totalling 3200 francs. Digitec Galaxus will cover this loss. The customers do not have to pay anything. We have reset the passwords of the affected customers and informed them. So that they are more careful when choosing their password in future.
Another new aspect is that the customer information is finding its way to the media. This time, the radio programme Espresso carried the news. 20 Minuten Online, Tagi Online, Watson picked up the story.
After several years, reporting has improved somewhat. It's a shame that there is still talk of hackers and skulls are still being mounted on screenshots of our website. Fortunately, nobody has died. Nothing has been hacked and nothing has been "hacked". The fact that people tend to be lazy and forgetful and use the same password multiple times was automatically exploited.
Reminder: What can you do?
- Use a different password on every website. If you don't want to remember them all, you can use a password manager such as 1password or KeePass.
- Enable the 2-factor authentication that we offer. It prevents unauthorised access to your account. Even if a criminal has stolen your username and password online .- Check whether your email address has ever been stolen or used in an attack. You can check this on the website haveibeenpwned.com by security researcher Troy Hunt.
Thank you for your help!
Aurel Stevens
Chief Editor
aurel.stevens@digitecgalaxus.chI'm the master tamer at the flea circus that is the editorial team, a nine-to-five writer and 24/7 dad. Technology, computers and hi-fi make me tick. On top of that, I’m a rain-or-shine cyclist and generally in a good mood.
95 comments
later