Working from the comfort and solitude of my fortress in the north I stumbled across an announcement that the online image publishing service, Shutterfly, had a few of their web properties compromised. They released the information and did so roughly a week after the breach was initially discovered. Not too shabby on their part.
Then I read the most wonderful statement I have seen in a breach disclosure in a long while, "We encrypt customer credit and debit card information". I jumped for joy. I would LOVE to see that in more cases like this but, more importantly I would like to see fewer of these data breaches period.
They took the step to "encourage" their customers to change their passwords. To be fair the prudent step would have been to reset them and let the users change them. Not the end of the world but, it would have been nice to see that.
What I thoroughly did enjoy was the fact they posted a customer Q&A page. Well done on this point. While there isn't a great deal of detail they did an excellent job of laying out the information for their customers as best that they could. I was rather pleased to see this approach. The only difficulty in this case was it was not at easy to find on the site at all. Here is a link to it for your own edification.
I did want to highlight one part regarding a line from the Q&A page.
I use the same password for multiple accounts. Should I change all passwords on those accounts?
Yes. We encourage customers who reused the same password on other sites to change those passwords, too. As a general security practice, the same password should not be used across multiple sites or accounts.
I absolutely agree (and emphasize) that a person should not use the same credentials on multiple sites. This is a problem that is fast becoming more of an Achilles heel that attackers are concentrating on. Attackers will gather a list of compromised accounts and then use them to try and access other sites with the same credentials invariably leading to data theft and in some cases monetary loss affecting the owner of said credentials. Not an enjoyable situation to be in. Please don't reuse your passwords.
It appears that Tiny Prints, Treat, and Wedding Paper Divas accounts were using a shared backend infrastructure that was separate from Shutterfly as they note that Shutterfly users were themselves not affected by this data breach.
The company is working with law enforcement and a forensics firm to get to the bottom of this incident. They do not know at this time who was behind it and in all likelihood may never learn who the perpetrators were.
Kudos to Shutterfly for the quick response and the Q&A regarding the breach. Just, could you make it a little easier to find?