Costa Coffee Club warns of possible database intrusion

A Naked Security reader just sent us a “possible breach” warning he received.

This one’s from the Costa Coffee Club, a loyalty programme from Costa, a UK franchise that runs a chain of…

…you guessed it, coffee shops.

The loyalty card is of the conventional sort: you get 5p of credit to use in-store for for every pound you spend.

You also get unlimited free Wi-Fi.

It’s the sort of loyalty deal many of us would take, even though it means giving away a spot of Personally Identifiable Information (PII).

Costa’s asks for name, email, birthday, phone number and physical address; it also asks you to create a password using the following rules:

The password must be between 8 and 15 characters and include at least 1 uppercase letter, 1 lowercase letter, and 1 number. We also recommend avoiding common words such as 'Password1'

→ No, we don’t know why websites set upper limits like 15 on password length. If you’re storing passwords as salted hashes, length becomes irrelevant because every salt and hash ends up at a constant length. For example, Microsoft’s webmail maxes at 16 characters; Android passwords max out at 17 characters, but why? If you’re happy with 19 mixed-up characters and digits, or with 25 lower case letters of the correct­horse­battery­staple sort, what’s the problem? Having a plethora of different password construction rules is a needless complexity for password managers, because it means they need to keep track of which rules apply to what sites.

According to the breach warning, Costa’s says it has spotted unusual activity on about 1 in every 5000 accounts (0.02%), and has suspended access via its login page.

That means you can’t reset your password, at least not yet.

Costa’s also says it’s “introducing a new format for your password to further optimise security and protect your Coffee Club points.”

Quite what that means is unclear, but let’s hope it doesn’t lead to yet more complex rules about how to construct your password.

The more strictures you introduce by trying to produce a synthetic increase in complexity, the greater the risk your users will end up with passwords less secure than if you let a password manager choose randomly.

Passwords like aZsXdC!@#123qAwSrF may look super-complex at first sight, with 18 characters; digits carefully added other than at the end; punctuation marks that are unusually chosen and located; no dictionary words; and capital letters other than at the start.

But that one is actually an easy pattern on a US keyboard (type it in and see where your fingers go).

It probably isn’t in any password lists, and it’s nice and long, but it isn’t random.

If attackers should ever figure out the trick you use to generate your pseudo-complex passwords, you’re done for, especially if you use similar patterns on other accounts.

So don’t do that.

What to do?

By the way, Costa’s hasn’t yet worked out how the misused accounts were compromised.

If it was a breach, and the stolen passwords were securely stored, the few that have been cracked were probably poorly chosen, so don’t do that.

If it wasn’t a breach, then the passwords may have been recovered because you re-used them on some another account, so don’t do that, either.

UPDATE 23 April 2015: Costa Coffee’s parent company, Whitbread, contacted us with a statement from Jim Slater, Managing Director of Costa Coffee in UK and Ireland:

Through security checks we identified a small number of Coffee Club Card members (around 0.02%) who had some unusual activity on their account.

As a result we have conducted a full security review and in the interim, removed the ability for Coffee Club members to access their account online.

We have already contacted those customers affected and emailed all registered Coffee Club members to make them aware of the situation. Customers can still continue to collect and redeem points as usual.

It's important to note we do not hold any financial data on the Costa loyalty card system and we want to take this opportunity to apologise for any inconvenience and concern this may cause but it's very important to us that customers' points and registration details remain safe.

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.