Loblaw Resets All PC Plus Passwords Following Security Breach
By Simon Hung
February 21, 2017If you’re a member of the popular PC Plus loyalty program, you’ll need to create a new password to access your account, because Loblaw has reset all account passwords following a security breach.
PC Plus is used in over 20 Loblaw-owned grocery stores across Canada and this is the second time in less than a month that the company has issued a security notice to its members regarding the breach, which compromised an unknown number of accounts and resulted in points being stolen.
Upon entering the PC Plus site or opening the app, all members will need to create a new password, even if they had already changed them recently -- note that password changes cannot be done through the app and must be done via their website. Loblaw has issued a statement saying that the breach was likely a result of some members using weak username and password combinations across multiple sites.
It’s unknown when exactly the breach occurred, but a thread was created in our Shopping Discussion forum in December 2016 after a member discovered that their points were missing. Any PC Plus members who suspect their points were stolen should contact customer service via email or phone (1-855-672-7587) to have their points reimbursed.
Showing 40 Most Recent Comments
View allSince February 1st there is a NEW Loyalty Program... wherby the Loblaws Group (PC+) joined forces / merged with Shoppers Drugmart’s Loyalty Program (SDM Optimum) into ONE NEW Loyalty Program known as PC Optimum
www.pcoptimum.ca
If you are a PC Financial Customer as well (with a PC Financial MC) then it & its related PC Points, would also link into the NEW PC Optimum Program.
For more info see the above PC Optimum Website, and the related thread here on RFD
pc-optimum-discussion-thread-formerly-pc-plus-2040084/
http://globalnews.ca/news/3236903/exclu ... -question/
Someone with a list of logins and passwords might have been hitting the site non-stop with login requests.
...And on their login page now:
There are no such limitations in Android or iOS. If anything, it's even easier to build a login screen on a mobile app than a website. The constraint would be from the infrastructure on their end which would be the same for whatever client interface.
For example, it might be due to limitations in the design of the login in their mobile app.
Absolutely! I've been saying that all along. A bunch of incompetent dolts. Their lack of transparency about what actually was breached and what data was compromised makes it even harder for those of us who take security seriously to prevent further compromises of our accounts, not only with PC Plus but others.
For example PC Plus accounts are linked to credit card numbers.
1. What CC info was compromised?
2. What are the risks that this breach will facilitate fraud on other sites?
3. What steps should PC Plus members take to prevent, or at least watch out for, related security breaches?
The federal privacy commissioner needs to step in and force Weston to reveal more about what happened. (News reports with quotes from security-naive police spokespeople isn't even a good start, let alone adequate.)
PCPlus sent the email. PCPlus is the one having security issues. Anyone and their dog can get a PCPlus account at the register at a PC store.
I use Outlook and it doesn't recognize PC emails as legitimate unless you add them to your "safe senders" list.
My father-in-law also got the email -he thought it was a phishing email! Why would PC Financial send an email (most banks don't do this) and not call the cardholder....
Crazy thing was my FIL called into PC Financial using the # on the back of his Credit card and the rep couldn't help or answer any questions about it (or could even help) - rep directed FIL to the same # that was listed in the email......goodness!!
A couple of comments about the article:
What a clusterf*ck. Some people are so afraid of being scammed that they don't even trust (or recognize) legitimate e-mails. This is going to create a lot of ill-will with customers and take a long time to sort out.
This is where Loblaws needs to be more open about what happened and what information was compromised. The PC Plus website doesn't show attached credit card numbers, only the last four digits. But a skilled social engineer can parlay that (and maybe the full PC Plus card numbers which are displayed) into the complete credit card number or other information that could be used to commit fraud.
I doubt credit card PIN numbers are stored on the PC Plus website. After all why would they need that info? But who really knows. Loblaws needs to clarify this and related issues about what information has been compromised. Simply asking people to change passwords is neither effective nor reassuring. (And if they don't know for sure, they should do something like Home Depot did and offer a year of free credit monitoring.)
Seems strange that a cop would be so naive. There's a simple solution to this sort of concern. When someone like PC Plus asks me for info like DoB (or SIN, etc.) that I don't think they need to know, I just give them a fake one. (I use the same fake DoB, SIN, etc. in all such cases so they're easy to remember.)
http://www.cbc.ca/news/canada/ottawa/st ... -1.3992660
P.S. I finally got my reset e-mail on the second day. They seem to have wised up about password length and are doing what little they can do to deal with it by forcing new passwords to be 8 characters.
Thanks for calling us for help. To reset your password, simply click the link below.
Reset my password
Thanks,
The PC Plus™ Team
**
I never called these clowns, I did try a reset as prompted on their website. More incompetence or did someone actually call them pretending to be me?
I still feel that Loblaws should update the security on their sites and allow for longer passwords. I personally prefer using a longer password even if people say that doesn't necessarily mean it is safer.
It'll be interesting to see if they bother to try and find any of the culprit(s) who fraudulently were redeeming other customers points.
I still have all my points, but haven't had a chance use them up. I have literally not been shopping since December, and have only my card as the only one that can be used to redeem. I check that setting each time too.
I am one of those where I don't think it was me.
I use unique passwords that have nothing related to my user I'd or email. I honestly don't think tloblaws has a clue what's going on.
So do you say the same thing that some deserves to be robbed because they have a nice house.
Just to let you know, my password are all secured, the piclus had a seperate password than my other main accounts,which also have different passwords. I am extremely careful about my internet identity, yet I 'deserve' it.
That said, password reuse and use of easy-to-guess passwords are very common problems, especially on sites like PC+ that don't do financial transactions. Often people use the same username (e-mail address) and password on all such sites they use because that's a lot easier to remember than unique passwords at every site. After all, they reason, it's only points not my banking data so what can go wrong, etc.? Then their points, worth $100s go AWOL and suddenly they "get it."
But here's what's really inconsistent. If they don't trust that my first and second password changes were secure, why do they trust the third one? This just adds further confirmation to my contention "that they really don't know what they're doing so they're doing 'stuff' just to give the impression that they've got this under control."
They've been hacked internally, either they know it and they won't admit it or their IT or whoever digital forensic investigator they hired is so incompetent they haven't figured it out.
Oh Click and Collect is deeply cool. A little buggy, but cool. If you go view your offers through C&C you can actually click through to a list of the products the offer applies to (often some you don't expect).
The prices in C&C match the in-store system prices daily and is more accurate than store signage, so it is good tool for SCOP and unmarked clearance lovers.
As if I'm going to trust my personal information to yet another Loblaws-administered database
(But thanks for the clarification.)
P.S. I feel sorry for Rick Mercer. There's no way he can come up with material that funnier than the daily jokes I've been getting from PC Plus in my e-mail inbox.
Does that strike you as acceptable?
Does that suggest that they know what they're doing with regard to security?
Does that convince you that this will be the last time they put people through this nonsense?
Do you believe that these actions will be successful in truly securing your account from hackers and fraudsters?
(My answer is no on all counts.)
Only at stores that offer this and only if you're comfortable with the C&C program in the first place.
Right now they're in random damage control. First they locked accounts selectively based on reports of stolen points. Then they stopped redeeming points for GCs on a selective basis. Now there's a blanked stop on redemptions for GCs and a blanket 2-day lockout of all customers.
It's become quite clear that they're flailing around trying to stem the damage without much of a clue about what happened in the first place or what they can do to make it stop on an ongoing basis.
Amateur hour at President's Choice. Dave Nichols must be spinning in his grave.
I don't think that's the issue. It's hard enough to brute force break an 8-character password that's a mix of upper/lower/digits/specialchars. The people whose accounts are being compromised use common passwords like "12345678" or more complex passwords that they reuse on multiple sites. There's no need for hackers to waste time on brute-force attacks when they can get lists of millions of passwords for free on the web.
Remember you can still see your offers through Click and Collect is you are signed up there, in the meantime.
They wouldn't.
At the end of the day I would like for them to come forward and admit they were hacked instead of shift the blame on the consumer.