E. Leclerc, the major French retailer, has just suffered a cyberattack. In an email to its customers, the company indicated that it had noticed "fraudulent attempts to access" Primes énergie E.Leclerc accounts. This is the program that allows the brand's customers to benefit from aid for energy-saving work. This program is part of the energy-saving certificates, the national initiative that aims to encourage individuals to renovate their homes.
Passwords hacked?
Some of the program's beneficiaries have seen their personal data compromised by hackers. According to E. Leclerc, "certain information may have been exposed" following the intrusion. This is the case for the name, first name, email address, file number, premium amount and service description. This data can serve as a starting point for countless online scams aimed at extorting money from Leclerc customers.
Above all, the brand mentions unauthorized access to "access credentials". As researcher Clément Domingo explains, this is likely the password or the "password hash", i.e. the encrypted version of the access code. This is obviously sensitive information, likely to endanger the French people concerned. It increases the already high risk of finding oneself involved in a so-called credential stuffing attack. In short, hackers can use the credentials in their possession to try to connect to other services and websites. This is
Change all your passwords
In accordance with the law, E. Leclerc has notified the National Commission for Information Technology and Civil Liberties (CNIL), the body responsible for data protection in France. The CNIL may investigate how the company secured the data as part of an audit. The CNIL has also committed to increasing the number of audits during the year, given the explosion of data leaks in France.
As a security measure, E. Leclerc has reset “all passwords for E.Leclerc Energy Bonus accounts”. Users will have to choose a new password the next time they log in. The company also recommends that all affected individuals change their passwords "on all services for which you use similar identifiers". This precaution should stem credential stuffing attacks.
For Clément Domingo, the cyberattack against E. Leclerc could also be based on a credential stuffing operation. The expert does not rule out the possibility that a vulnerability was exploited, or that the hackers launched a scraping operation. This technique is used to automatically extract data from a website using automated software.
It's a massacre in France
In any case, the black series continues for data security in France. During the first weeks of the year, several entities have already been victims of an intrusion. This is the case for several French sports federations. As a result of these breaches, the personal data of more than 4.5 million French people ended up for sale on BreachForums, the black market for compromised information. This is also the case for several well-known brands, including Kiabi and Showroomprivé.
0 Comments