UPDATED with comment from Bed Bath and Beyond.
Bed Bath and Beyond has had some customer data compromised — but exactly what kind of data, how the data was compromised and how many people were affected is still unknown.
"Bed Bath & Beyond Inc. (the 'Company') discovered that a third party acquired e-mail and password information from a source outside of the Company's systems which was used to access less than 1% of the Company's online customer accounts," Bed Bath and Beyond stated in a mandatory, but very brief, Securities and Exchange Commission filing (opens in new tab) yesterday (Oct. 29).
"On October 29, 2019, the Company sent notifications to certain customers as required by applicable legal requirements," the statement continued. "None of the Company's online customers' payment cards were compromised as a result of this incident. Since becoming aware of this incident, the Company retained a leading security forensics firm and has implemented remedial measures."
That's it so far. We haven't yet seen any more information, such as the notifications that are supposedly being sent out to affected customers. There's nothing posted yet on the Bed Bath and Beyond website.
We've sent a email query to Bed Bath and Beyond and left a voicemail message for its PR team, and will update this story when we receive a response.
What to do, and what may have happened
But in the meantime, if you have a Bed Bath and Beyond online account, you'll want to change your password, just to be safe. Make sure that new password isn't used anywhere else. Furthermore, if you did use the old password somewhere else, change it there, too.
Bed Bath and Beyond's vague statement given to the SEC could mean a number of different things:
— Bed Bath and Beyond's own computer systems may have been breached
— A third-party company supplying Bed Bath and Beyond may have been breached
— An employee's login credentials, of either Bed Bath and Beyond or a supplier, may have been used to access protected systems
— Individual user accounts with Bed Bath and Beyond may have been compromised due to password reuse (opens in new tab) on the account holders' parts
Of more immediate concern is the part about acquiring "password information." Again, that could be interpreted as meaning an authorized Bed Bath and Beyond employee had his or her password stolen. But it could also mean that the stolen passwords belonged to registered users of the Bed Bath and Beyond website.
If it's the latter, then the next step is to find out how well those passwords were protected. Bed Bath and Beyond is a big company, so one would assume the user passwords were "hashed," i.e. run through a one-way encryption algorithm, before being stored. If they were, then anyone chancing upon the hashes could not reverse them to get the original passwords.
But some hashing algorithms are better than others. A few the older ones have been "cracked" so that they are indeed reversible. Some companies do not "salt" their hashes with extra information, which means that the stored hashes can be compared to databases of pre-generated hashes of likely passwords.
UPDATE: Comment from Bed Bath and Beyond
A Bed Bath and Beyond spokesman replied to our emailed query, but unfortunately didn't give us much more information.
"A third party used email and password information acquired outside Bed Bath & Beyond and Buy Buy Baby to access a limited number of online accounts during the period of September 4-27, 2019," said the spokesman. "We investigated this matter thoroughly and no payment cards have been compromised."
"Upon detection" of the unauthorized access, "we introduced advanced security measures to safeguard our customers, deterring future attempts to access customer accounts. We also immediately locked the accounts of all customers whose online accounts had been accessed."
Asked how many Bed Bath and Beyond online customer accounts were affected, the spokesman said only, "less than 1%".
Pressed further, the spokesman said that he did not have exact numbers on the affected accounts. But he added that it was "highly likely that this incident was caused by the reuse of passwords exposed in other companies' data breaches."