Video service Vudu began warning users today that it has instituted a systemwide password reset following an office break-in last month.
A burglary March 24 resulted in the loss of hard drives that contained users' sensitive personal information, including names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers, Vudu Chief Technology Officer Prasanna Ganesan informed customers in an e-mail. He said no complete credit card numbers were stolen because the company does not store that information.
The stolen hard drives also contained encrypted passwords, and while Ganesan expressed confidence in the encryption process, he warned that it was prudent to take precaution.
"We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft," Ganesan wrote in the e-mail (see below). "So we think it's best to be proactive and ask that you be proactive as well."
As a result, the video service said it has expired Vudu users' passwords, and it included instructions on how users can reset them. Naturally, Ganesan suggested that if the expired passwords were used on other sites, that those be changed as well. Passwords of users who accessed the site through a third party were unaffected, he wrote.
The Santa Clara, Calif.-based video service has arranged for a year of free identity-protection service from AllClear ID for customers affected by the theft, and it posted an FAQ to address users' security questions.
Ganesan did not indicate how many users were affected or why it took the service more than two weeks to notify them of the break-in and the loss of their personal information. CNET has contacted Vudu for comment and will update this report when we learn more
The e-mail sent to users today:
Dear Vudu Customer,
We want to let you know that there was a break-in at the Vudu offices on March 24, 2013, and a number of items were stolen, including hard drives.
Our investigation thus far indicates that these hard drives contained customer information, including names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the Vudu site and have only logged in through another site, your password was not on the hard drives.
While the stolen hard drives included Vudu account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well.
If you had a password set on the Vudu site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired Vudu password on any other sites, we strongly recommend that you change it on those sites as well.
As always, remember that Vudu will never ask you for personal or account information in an e-mail. Please use caution if you receive any e-mails or phone calls from anyone asking for personal information or directing you to a Web site where you are asked to provide personal information.
As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our Web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.
Chief Technology Officer, Vudu