Office REFUSES to confirm if user passwords were encrypted

British shoe chain Office has been hacked with usernames, personal details and passwords all stolen by hackers.

The shoe retailer said that only accounts created prior to August 2013 had been affected, with those customers being contacted by email. Office said it had also reset customer passwords and urged people who used the same password on other websites to change these as well.

Customer names, addresses, phone numbers, email addresses and Office account passwords were all stolen by hackers. The company said no payment information has been compromised.

Office referred concerned customers on Twitter to a page on its website, but this page wasn’t linked to from the homepage or the Office blog.

Office has refused to deny that it was storing passwords in plain text but in its official statement and email to customers the company didn’t mention any form of encryption. When asked if it encrypted user passwords Office wasn’t able to comment further.

@jtemperton All the information that we have regarding this matter is published here http://t.co/iwEXix6aoa

— OFFICE Shoes Help (@OFFICEShoesHelp) May 30, 2014

One Office customer on Twitter pointed to an email from Office in 2011 that contained his password in plain text, a practice security experts are highly critical of.

Office said that affected users would have to login to their account using a one-time password and then reset their passwords in order to login to their accounts again.

Security expert Troy Hunt said chances that Office encrypted passwords were “low”, adding it was “more likely” they were hashed, but probably not hashed well. Poor hashing of passwords would make it very easy for hackers to gain access to them.

“These post-hack comms tend to be very badly handled. Often companies are reticent to disclose their internal security,” Hunt explained.