Security Notice: Bug affecting some passwords found in Vend

We have identified a bug present in our internal log system affecting some user passwords.

At Vend, we hash passwords before we store them. Hashing performs a one-way transformation on a password, turning the password into another set of characters, so the true password is masked to anyone who views it. Vend hashes these user passwords using the bcrypt algorithm. Bcrypt is an industry-standard technology that many other companies use for this same purpose.

However, we have identified a recent bug which allowed a small group of passwords be to stored in plain-text in our internal log system.

This means that any Vend user who reset their password between 24th February and 4th May had their password stored in Vend’s secure internal log system in plain-text, rather than it being automatically hashed as is usual. This internal log system, which also includes many other kinds of datasets, is only accessed by those with a legitimate need to do so for the development and operating of Vend such as our software engineers.

The Vend Security team immediately took steps to fix the bug, deleted all plain-text password records, and implemented a full investigation into the event including identifying the exact users impacted. Our investigation has not shown any indication that this password data has been externally exposed, or misused in any way.

Any time a password is potentially exposed, even where there’s no reason to believe the information has been externally accessed or misused as with this incident, we recommend that users change their passwords. It’s especially important to do this if the password is also used to log in to other sites.

All users, and the primary admins of the Vend accounts they are part of, have been informed of the issue, and asked to reset their passwords across any site where it was used, to ensure their information is kept safe. Any Vend user who did not receive a notification about this directly is not involved and doesn’t need to take any action.

We’re of course very sorry that this has happened. Keeping our customers’ data safe is extremely important to us and we are continually reviewing and enhancing our security practices. This incident will be a further learning opportunity to help us keep Vend as secure as possible for all of our retailers.