Cash-Back Site BigCrumbs Is Offline After User Accounts Were Breached

Cash-back shopping service BigCrumbs.com will be offline for as long as three weeks after discovering that some of its members’ accounts had been compromised — even though the site itself doesn’t appear to have been breached, ECommerceBytes reported.

While the company effectively completed its analysis of the unauthorized account access by Thursday (Feb. 5), it will remain locked down for another week or two to pile on additional security features — including a feature that forces users to adopt passwords that are harder to guess.

BigCrumbs CEO Vince Martin said in a series of posts on the site that only about 200 of the site’s accounts show evidence of having been hijacked, in an attack that appears to have started on Jan. 18, 2015, but could have begun as early as December 2014.

The attack “appears to be the compromise of a limited number of accounts that utilized common or overly-simple passwords, or otherwise re-used credentials from a different site that was previously breached,” Martin wrote. That includes passwords in which the password was the same as the account’s user ID.

Password reuse and overly simple passwords are increasingly a security vulnerability, as the number of passwords a typical user must remember has skyrocketed from 21 five years ago to 81 today. Weak passwords are also a result of outdated policies that allow too-short passwords that are only checked against simple rules (such as requirements for upper- and lower-case letters along with number and symbols) but not compared to lists of the most common passwords or even the user ID.

That’s the kind of enhanced verification that BigCrumbs will be implementing during its extended downtime, according to Martin.

“Unauthorized access may have potentially revealed such member information as first and last name, email address, postal address, and cash back history,” Martin wrote. But no payment cards were compromised in the attack because the site does not collect payment card information, Martin told ECommerceBytes.

The site normally makes payouts through members’ PayPal accounts at the end of each month. Martin said that even though the site itself was down, the company was able to make the January payments for all but the 4 percent of members whose PayPal accounts were unverified. An enhanced version of the site is expected to be back up by Feb. 19.