CeX Data Breach Affects 2 Million Gamers, Techies

News
By Nathaniel Mott
published

CeX announced that the names, addresses, email addresses, and phone numbers of 2 million of its customers have been compromised. The company, which operates a secondhand marketplace for games and tech products, said it's still investigating the extent of the breach.

Retailers have been popular targets for hackers for years. In addition to storing payment data, these businesses often collect information about their customers via loyalty programs, store credit cards, and other collection methods. This combination of financial and personal data is valuable because it can be used to make fraudulent purchases or steal a person's identity. It could also be used to assist with more targeted attacks.

CeX said in its announcement that a "small amount of encrypted data from expired credit and debit cards may have been compromised" in the breach. The company said it stopped collecting this information in 2009, so even if the encryption is broken, the damage should be minimal. That's good news for anyone who's bought something from the retailer's website in the intervening years, though the personal data leak is still worrisome.

Here's what the company said about its approach to digital security:

We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

CeX advised people affected by the breach to change their passwords on any site that uses a similar password. The company said the passwords affected by this breach weren't stored in plain text files, but if your password "is not particularly complex then it is possible that in time, a third party could still determine your original password" and use it on another site. (Which, again, is why you shouldn't repeat passwords across services.)

Approximately 2 million people were affected by this data breach. CeX said it emailed anyone it suspected was affected by the issue, so if you haven't received an email, the company believes your information is safe. It will know more as its investigation into the breach continues.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

3 Comments Comment from the forums
  • SinxarKnights
    The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.
    https://uk.webuy.com/guidance/
    Reply
  • derekullo
    The only thing missing is when the breach happened.

    Recently?

    "The company said it stopped collecting this information in 2009"
    Only means that data that was stolen is at least 8 year old data.
    Was that 8 year old data stolen yesterday or in 2010?

    Their Questions and Answers page looks like a 5th grade short story test.
    Reply
  • ganron
    WHEN WHEN WHEN the breach happened/detected is the most critical info in a security breach. I see no info in their site Q&A.
    Reply