CeX data breach hits two million accounts

Second-hand electronics and entertainment giant CeX, also known as WeBuy and WeSell, has warned customers of a data breach which has resulted in up to two million account details - including, in some cases, hashed passwords and encrypted credit card details - being swiped by persons unknown.

Founded in 1992 by Robert Dudani and Paul Farrington, CeX started as a single store known as the 'Computer eXchange' situated near London's Tottenham Court Road and offering the ability for people to trade in unwanted computer hardware in exchange for store credit or a lesser amount of cash. Since then the company has branched out into general consumer electronics and entertainment products and boasts 350 UK highstreet stores, 100 international stores, and websites offering post-free trade-ins and online fulfilment.

It's the company's website customers, however, that it is currently in the process of contacting following the discovery of a data breach which has resulted in up to two million account holders' personal information falling into the wrong hands.

'We have recently been subject to an online security breach. We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you,' the company told users in an email published to its website. 'We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.'

According to CeX, data stolen in the breach includes full names, addresses, email addresses, hashed account passwords, and telephone numbers for up to two million customer accounts. In 'a small number of instances,' it further warns, encrypted data from expired credit and debit cards registered with its site up to 2009 may have been included. Cards used after that date are not affected, as the company stopped storing card information locally in 2009.

As always, the advice offered in the wake of the breach is simple: Change your CeX password as well as on any service where you reused the same password and keep an eye out for suspicious emails, telephone calls, or dead-tree letters claiming to be from or to represent CeX. For its part, CeX claims to have 'implemented additional advanced measures of security to prevent this from happening again,' though the company has not provided details.