That response definitely doesn't leave me feeling good.

I have XPSP2 and have not seen anyone else's account. OTOH, I can only log off some of the time.

Dear DVDTalk Members,

I apologize again, I should have been more clear in my initial post.

We are reviewing the orders and will not ship any of them until we are certain that they are shipping to the correct location. We will also be communicating with every customer who placed an order during this period. To confirm though, your credit card information was not compromised.

I will continue to update you with more information throughout the day.

David Barker
VP, Marketing

I have XP home SP2 at home, XP Pro no SP2 at work. I was using remember me. At both locations, DDD has worked correctly each time I've checked. As far as I can tell, no one else has been in my account (if they have, they didn't do anything since I have no unexpected orders and all my info is still right).

Seems more work is being done as you can't access the site at all anymore.

For those who still have access to other peoples accounts, have you cleared both your browser’s cache and ALL cookies related to deepdiscountdvd/cd? There’s 3 or 4 cookies for each site. It's possible that DDD only fixed part of the problem and that maybe cached files and cookies from before they claimed to fix it, are continuing to allow breaches in their security.

Anyone else getting the down for maintenance message again?

Thanks to all for posting this DDD security alert. May I suggest that those who are worried about their credit card info being compromised, it would be advisable for them to monitor posting to the card accounts online every day, rather than waiting until they receive statements. This will allow you to challenge false charges as soon as they show up on your accounts.

Regarding all those who are calling for special coupons from DDD in order to atone for their security fiasco, to me, this is like someone being willing to accept a lollipop to make them forgive the Company which recklessly exposed them to potential colossal identiy theft. Which do you want, Coupons or a truly secure Vendor site!

Sincerely,

NetResults

But I like lollipops...

It's a problem, yes, but one that I have yet to encounter. No one I know personally has had this problem yet either.

Let's hope they finally take care of the problem.

[QUOTE]Originally posted by invisiblegt
[B]But I like lollipops...

Sucker!

NetResults

I'd like to thank David Barker from DeepDiscountDVD for replying (twice) to this thread. Whether you accept his explanation or not, this at least shows that DDD cares about this community enough to reply personally.

David Barker,

If you make what sounds like a major change to a well known commerce web site, I recommend not doing it Friday night and then heading home for the weekend without some thorough testing.

And where was this response Saturday am? While things do happen, and any fraud will hopefully be prevented, it has been the poor response to the situation that has been particularly troubling.

That being said, I sincerely hope you are able to promptly find/fix the problem. DDD is one of my benchmark sites for DVD shopping.

Please do continue keep your customers informed of progress.

Well that's the issue, isn't it? There's just one problem with this being DDD — this isn't the first time that this has happened, if I am not mistaken. Perhaps someone could refresh my memory? The website has a notorious reputation for "order mutations" that has been in existence since I first ordered from them a year ago. Indeed I recall seeing my first order — alternately with "The Thorn Birds" (which I never ordered) and . . . some other titles, as well.

No, this is precisely the issue: DDD doesn't need to fix their system, they need to replace it. Now who honestly thinks that, given their notorious reputation for site instability, they will do anything about this latest, perhaps most severe, iteration?

I remember reading on FW one post which inferred that DDD was "farming credit card numbers." At the time I thought that remark was specious; but how can I take as credible an assurance from DDD's top management that they are "fixing this problem" when they've never attended to their site instability in the past? I don't think DDD is farming credit card numbers but when a corporation loses credibility — repeatedly claiming to "be fixing," or "have fixed" their notoriously unstable website — you can see how people will begin to actually wonder just how serious this company is about customer privacy.

I repeat: DDD doesn't need to overhaul its site; it needs to replace it. Why on earth doesn't the company just do it and put these issues to bed once and for all? I don't get it. It's suicide to allow a site to remain this unstable. Surely the company must understand their exposure to litigation? Look at the lawsuits against EBay for their (even more serious) security breaches!

Take this seriously for crying out loud and get a new system before you are sued into the dustheap of failed internet retailers. It is negligent in the extreme to allow what is a documented pattern of system instability to continue — that's DDD's real problem: Not this one security breach but the suggestion by some that a pattern of it, over time, suggests that the company refuses to migrate to a secure, stable system.

None of us want DDD to go under. Bite the bullet and do it — preferably before the upcoming Holiday Season when the opportunity for mischief will be positively explosive, given everyone logging in, buying gifts, and unwittingly exposing their accounts to rampant fraud.

PEACH

Take it from a 20+ year IT pro, Never do implementations on a Friday if the software runs 24 hours a day 7 days a week.

Excuses will range from "It's always worked before", to "What could go wrong?", but it's never a good idea to make changes and then let the staff go home for the weekend.

My advice would be to make these updates early on Monday mornings.

I didn't get nailed by this, and actually think it's less of a problem than people are making of it, but they really should've had something in place to take the site down as soon as problems started showing up.

Problem is, if you did you wouldn't necessarily know it. The people whose accounts I had access to were very surprised (though ultimately grateful) when I mailed them screen shots of their account info and recommended they keep a close eye on things. Hopefully there is no damage done, as the vast, vast majority of people are honest, but imagine getting that email out of the blue.

Actually, I would after a slight delay (which is why I think people are making to big a deal of it).

1. They can't see my credit card information (only last 4 digits).
2. None of my information has changed.
3. Since they don't have my credit card info, the only thing they can do by accessing my account is order stuff from DeepDiscountDVD...those orders will all show up by tomorrow (even if they were able to put in a new email address so I didn't get the confirmation [sent automatically when an order is placed], submit the orders, then change it back afterwords), and I'll just get them cancelled (and probably get a discount too).

What you say is 100% true.

I was being more general, and referring to the majority of DDD customers, those who still don't know anything happened yet.

It's as if stolen property were returned to your door by the police, and that is the first you knew you were robbed, though they knew a week earlier. You're not out anything, but it sure is disconcerting.

That I agree with. That's why they should've taken the site down immediately. People are really hesitant to do that, but when you don't know what's wrong, it's clearly the best alternative.

I think you were clear with your initial post. It's obvious DDD isn't taking this matter seriously at all. I guess when you look at it 48 hours isn't a very long time in a person's life. And if your so sure no ones credit card or personal information was compromised then why bother checking any orders or closing the site down this morning. And finally since you claim only a few people could see other customers accounts it was only a small problem, and presented no danger to anyone.

Only problem is 48 hours is a very long time to let this go on and not shut down the site until it was corrected. If you were updating the site it should have been more closely monitored, especially when reports came pouring in Saturday morning about security issues concerning personal information being exposed. It's also disturbing to think that many who had access to accounts had the ability to change information. While my credit card information may not have directly been exposed it did allow for potential orders and charges to be placed on my DDD account and credit card. I think that qualifies as a very serious security issue.




Why stop there. I think every DDD customer should know what happened. They have a right to know a major security breach with your site occurred. Sounds like you want to keep as many people as you can in the dark. And while technically my credit card information wasn't compromised you do continue to fail and mention the potential of my credit card being used.

Thanks OP for the fyi...I was able to login and check my order history.

But, I did discover a fraudulent charge on my credit card...I'm thinking it was related to that dvdpacific.com database breach a ways back. I was able to get it resolved with Amex...thanks again for the tip that allowed me to catch that problem early!

From a business standpoint, I have to question that comment. If indeed no card numbers were compromised (and I tend to believe him on that point), and no orders were placed on most accounts, why would they want to let the unaffected people on their mailing list know? That would be like McDonald's issuing a nationwide statement that its hamburgers might be bad if five people in one restaurant got a bad burger. It's a problem, but it appears to be one only affecting a small portion of the overall user base. In would not be financially prudent to make all of your customers worry about something that only affected a few. Notify those who were affected in some way, and leave the rest alone.

Once again my friend LASER has focused like a laser on the problem.

If this had been a product it would have been recalled — long ago, I would contend. I see nothing in the DDD press release that either indemnifies every single user of the DDD website of activities stemming from the fraudulent release of private information; nor assumes full, complete and unconditional responsibility for patterns of ongoing site malfeasance in existence for at least one year that I know of; nor, and most importantly, gives a now incredulous public any confidence that DDD will take action — including but not limited to the installation of an entirely new system, and the announcement thereof — instead of just rearranging the deck chairs on the Titanic.

PEACH

The McDonald's thing is nothing at all like this situation.

If a sinlge McDonald's have five people get very sick because of tainted beef, then all they would have to do is let every McDonald's know about it that gets the beef from the same place as the one which people got sick at. They wouldn't have to say anything about it at all of the McDonald's all over the world...unless they get the food from the same place, I don't know how this works.

There are a TON of McDonald's everywhere.

There is only one DDD.com, where everyone shops at if they do business with these people.

Everyone should understand what happened, so they could make sure everything is ok. Then DDD should let EVERYONE know it's now safe...if it's actually safe.