Back in 2020!
And they have discovered this just now!
Because someone shared the whole database of 878387 accounts online for free.
It is whether they knew it since 2020 and didn’t tell anyone, or they didn’t know anything and their system might still be vulnerable.
According to their email, they have no clue what actually happened:
There are lots of details in this database: name, full address, email, company name, DOB(not many accounts, and seems like lots of fake), phone number(mostly those registered with the phone number).
Many businesses were buying from 123ink.ca or PrimeCables; all these companies’ names are in there.
There are fields like “Last Login”, “First Order At” and “Last Order At”, which give a clue about around what time Shopper Plus was hacked; basically all the dates are no later than 2020. To be more precise, the latest date I’ve noticed was July 28, 2020.
Anyway, those who created their accounts after 2020 are not included in the leak.
My account is in this database, but luckily I had a fake name, fake DOB, and old mail address in my profile.
But! This is only a publicly available leak that dates back to 2020.
No one knows neither what information was actually stolen nor for how long hackers had access (maybe they still do) to the Shopper Plus website.
Probably because it’s already too late, they have never shut down the website to investigate, unlike Indigo.
Name of the file with leaked data:
“CrmSegment” tells me that only part of the stolen information (Customer Relationship Management?) was leaked publicly, and there are possibly more segments out there.
I was using 123ink.ca for a long time, as they usually have the lowest prices for printer cartridges.