Some registered users of the fashion e-commerce site Myntra are reporting suspicious logins into their accounts, raising concerns of their data and payment information being exposed. Entrackr reviewed a dozen instances of Myntra users reporting on Twitter that their accounts were seemingly compromised, all in the space of the last few weeks.
The problem may impact all users that login to Myntra with a password. The website’s user interface allows users to link an email address with a third party service like Sign In With Google, which doesn’t require them to create a password. A spokesperson for Myntra denied that a breach was behind the incidents.
“There are no data breaches at Myntra’s end and our servers have not reported any threats,” a Myntra spokesperson told Entrackr. “At Myntra, we take data security very seriously and have a strong constantly evolving information security framework based on the industry best practices to prevent any data privacy risks. It is also our continuous endeavour to sensitise our customers about the prevalent risks in this space and we urge them to always stay alert and follow best cyber security practices.”
The alternative is password theft, where attackers steal passwords from a different data breach and try the combination on other sites. Users are frequently targeted with such attacks, which is what seems to lead to the likes of Netflix and Spotify account passwords being inferred and sold online by hackers, even if those platforms themselves were never breached.
Companies usually counter such indirect attacks by requiring accounts that have not logged in for a while to reset their passwords before being able to access their profiles, requiring email authentication before completing the sign-in, or requiring another form of 2 factor authentication, like an SMS one-time passcode. Another option is for a company to actively monitor breaches on other platforms, and advise its users to change their passwords if their passwords were stolen from elsewhere, as Amazon has done before.
It is unclear if Myntra took any of these steps, considering that they still allow users to login with an email address and password, instead of limiting them to a mobile number and one-time passcode login, which is harder to attack on scale. Myntra did not address Entrackr’s queries on steps they took to protect users from password theft attacks.