Catch Of The Day announced on Friday last week that it had been hacked. That hack happened in 2011, though, and a lot of people rightly weren’t happy about it. Plenty of people wanted to delete their accounts. Now, it looks like that’s finally happening.
After hearing about the Catch Of The Day hack, I wanted to close my account — not out of fear for my data, since that horse has long bolted, but purely out of spite. I didn’t want to have anything to do with a company that waited three years to share the details of its database being compromised, sitting on that information and taking orders and making money from loyal customers whose passwords and personal data were in the hands of an unauthorised third party.
I get that hacks happen and data is stolen. It’s an unfortunate part of taking part in life on the Internet. I’ve had my accounts compromised at Adobe and eBay and the PlayStation Network. But all of those companies were (reasonably) upfront in detailing that they had lost control of their users’ data, and took steps to get out in front of the problem. Even if they delayed, they didn’t delay three years and only tell the public when they make an entirely arbitrary decision about those hackers cracking their database security after “technological advances” in computing.
That said, I checked out Twitter and the consensus was that the only option that “Australia’s #1 shopping website” was offering for closing accounts was through its Live Chat service, rather than through a form or by email. So I gave it a go:
[clear][clear]
Beyond initially entering a first and last name, and an email address, the live chat rep — who, if they were human in the first place, was dishing out canned responses, presumably to deal with the sheer number of angry Catch account holders overwhelming the chat — didn’t ask for any confirmation that I was the owner of the account, or ask for any other verification of my identity like a password or a purchase I’d made or my postal address.
Quickly enough, it became clear to me that Catch Of The Day wasn’t taking too many precautions with the accounts it was tagging for deletion. I decided to try it out with the personal details of Gizmodo editor Luke Hopewell — if Catch Of The Day is playing fast and loose with its users’ data, why can’t we do the same?
Armed with Luke’s first and last name and his personal email address — and with his explicit approval — I decided to try the same process on his Catch Of The Day account. Of course, it worked:
[clear][clear]
I was told to wait 24 hours for the accounts to be closed, but in a move that should surprise no-one, the process took four times as long as Catch suggested it would. (Frankly, I’m just grateful that it didn’t take three years.)
Four days later, without any verification, identity checking or verification, et voila — as of an hour ago, both mine and Luke’s Catch Of The Day accounts have been deleted:
[clear][clear]
It really seems like Catch Of The Day doesn’t have the greatest of respect for its users’ accounts. Hacking is one thing — it happens, and it’s unfortunately unavoidable in some cases. But not telling users that their details were taken for three years, and then opening the door for anyone with the most basic knowledge to delete the account of any user? It demonstrates a shockingly blase approach to security and accountability from a website that is one of Australia’s largest and (previously) most reputable online shopping destinations.
Not that we’re advocating impersonating anyone, of course — it’s not legal and you could get yourself into hot water. That said, strike up a chat with the friendly-and-probably-automated Catch Of The Day support team, and you’ll quickly find out that if you know anyone who has bought something on Catch Of The Day in the past, all you need is their first and last name and email address and you can get their account deleted.