Vudu Burglarized, Users Should Change Passwords Pronto
According to an FAQ that Vudu posted on its site, the hard drives indeed contained customer data, “including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers.” The drives also contained passwords; although they’re encrypted, Vudu has gone ahead and reset all users passwords. That’s the bad news.
The good (well, not as bad) news is that Vudu doesn’t store full credit card numbers, and it doesn’t have a record of passwords if users logged on from another site instead of directly through Vudu.
Why didn’t anyone hear about this sooner? That’s unclear, although from Vudu’s statement on that issue, we infer that law enforcement advised them to keep it quiet until the investigation was complete and a full assessment of the damage was done.
That won’t be much comfort to those who have had their private data swiped by criminals who are doing god-knows-what with it, though. Typically when a company experiences a security breach, it takes immediate action to identify and remove the threat and alerts users right away; Vudu let this breach fester for well over two weeks, which is egregious.
The company did throw users a bone by offering a year of free AllClear ID identity protection service, but it might be too little, too late.