Luxury brands get hit again

If you're a fan of the luxury fashion brand Louis Vuitton, be advised that the company recently and quietly fixed an issue on their website, that may have been exploited by hackers, as soon as the company became aware of it. The problem was discovered by independent researcher Sabri Haddouche, who, following proper responsible reporting protocols, reached out to the company and informed them of the issue.

Unfortunately, their response was frustrating

"Thank you for contacting Louis Vuitton. In response to your query, we regret to inform you that we are not able to answer favorably to your sponsorship proposal. We thank you for your understanding and your interest in Louis Vuitton and wish you a pleasant day."

An unusual response, to be sure, but Haddouche kept trying to make contact with someone who at least knew what it was he was attempting to tell them. Finally, he was successful on that front and the company moved to correct the issue.

The crux of the issue was this: The website allowed users to view their own account details but the account numbers were sequential, and part of the URL. Haddouche noticed this when he saw his account number in the URL and tried simply incrementing it by +1, which brought up an entirely different user's account information.

There is no evidence that hackers discovered and made use of this simple exploit before Haddouche reported it and the company corrected it. The truth is that they may well have, so if you have an account on Louis Vuitton's website, be aware that whatever personal information you had stored in your account profile may have been compromised.

Our perspective

Kudos to Sabri Haddouche for his dogged determination in getting the company to pay attention to the issue.

~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~

 

By Denis Wilson and Melissa Stockwell

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT SupportI'm Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people/process/technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective office productivity and out-sourced service solutions for over 20 years, focusing principally on manufacturing, professional services, and healthcare.  Our hallmarks are cloud and on-premises network reliability, cost-effective cybersecurity, and livable small business regulatory compliance.

I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs. Contact me if you would like me to speak at your association