Finns’ Zalando accounts have orders from abroad.
According to information obtained by Iltalehti, the customer accounts of Finnish users of the German clothing online store Zalando have been accessed. Orders have been placed on the accounts from various European countries. In some cases, Zalando has automatically flagged the orders as suspicious, but in some cases the order has gone through and the account has been debited.
The incident was written about in a Facebook group. A person living in Laukaa had also shared his experience in the group Mira Oak branch. Tammenoksa tells Iltalehte that a week ago at night, he received an email from Zalando telling him that a Plus account had been created for him.
– I thought it was spam, and I didn’t react to it. The next morning, I noticed that Zalando’s order confirmation in French had arrived in the email, says Tammenoksa.
Zalando didn’t let Tammenoksa log in to his account, so he called Zalando Finland’s customer service.
– I told you that I had received an order confirmation for an order that I have no information about. Zalando said that the security department had noted this, canceled the order and closed my account permanently, says Tammenoksa.
Someone had presumably gained access to Tammenoksa’s Zalando account and tried to order products for himself. In the case of Tammenoksa, no money had yet come out of the account, but in the case of some victims, debits have come out of the account.
Tammenoksa was told by Zalando’s customer service that he was not required to “take any further measures” regarding the matter. Tammenoksa has not been told more about what happened to his account or how someone got into it.
– The customer service could not say how the unusual activity had been detected. Apparently, the order made from a Finnish account in France had raised the alarm in some way, says Tammenoksa.
Tammenoksa has ordered clothes from Zalando with an invoice and he also has Paypal available. It is also possible to store card information in the service, which enables orders to be placed.
Tammenoksa says that he is careful with information security issues, and he does not open links or give his information to the least bit suspicious pages.
– This is why the case surprised me in particular. I have now informed the Cyber Security Center and filed a criminal report with the police.
There is no more detailed information about the events yet
Iltalehti contacted Zalando’s communications in Germany. The company denies a possible data breach or at least says that it is not aware of such a breach.
– We are currently not aware of a data protection violation against Zalando, the company’s communication says.
Zalando says that its e-commerce platform is built on a modern infrastructure equipped with a fraud detection mechanism and data security tools. These tools have probably also detected suspicious activity on Tammenoksa’s Zalando account.
– In addition to our current security measures, our information security expert constantly evaluates new technologies and implements them as needed, the communication says.
The communication states that the company cannot comment on “certain measures for security reasons to avoid giving malicious actors information they could use as part of a future attack.”
Notifications have been received by the authority
The Finnish Transport and Communications Agency Traficom’s Cybersecurity Center says that it has so far become aware of some individual cases of similar account hijackings. The center is not yet able to comment on the case in more detail.
Cybersecurity Center’s information security expert Matias Mesia advises to inform the Cyber Security Center about account breaches. In addition, according to Mesiä, they should also be reported to the police.
– If you lost money, you should notify the bank immediately, advises Mesia.
If you have been able to log into your Zalando account, and you can no longer log in yourself, Mesia recommends contacting the service and changing the password.
– Account breaches in different services also show the importance of multi-step identification and the use of different passwords in different services, Mesiä states.
As a general example, Mesia points out that in some cases it is possible to use a person’s email address to create an account that the owner of the email address does not know about. In this case, he may receive notifications about services.
– Be careful if you receive a notification via e-mail about registering for a service you don’t know about. Do not under any circumstances press the confirm or accept link if you did not create a user account yourself, says Mesiä.
In the case of Zalando, however, this is not the case, as the accounts have already been in the possession of the owner of the email address.