Fashion Nexus data leak: ​Over 1 million customers of several UK clothing brands exposed

More than 1 million customers of several UK clothing and accessories websites have had their personal data compromised after a security breach at web development and e-commerce firm Fashion Nexus. Security researcher Graham Cluley reported white hat hacker Taylor Ralston spotted a server that contained a shared database with the personal details of about 1.4 million customers.

Popular brands such as AX Paris, Elle Belle Attire, Perfect Handbags, DLSB and Traffic People were among the firms affected who had hired Fashion Nexus to build their online stores.

The exposed data included customers' names, email addresses, phone numbers and MD5-hashed passwords and salts among other data. However, there is currently no indication that users' payment card data was included or put at risk in the exposure.

Fashion Nexus and sister company White Room Solutions have yet to publicly respond to the disclosure. White Room Solutions declined Cluley's request for comment on the data leak, but confirmed that the security issue has since been resolved.

It is not immediately clear how long the data was exposed online or whether it has been accessed and exploited by malicious actors so far.

"In an unconnected boo-boo, the White Room Solutions and Fashion Nexus websites don’t support HTTPS - which doesn’t exactly instil confidence that they’re top of their game when it comes to advising on ecommerce," Cluley wrote. "However, White Room Solutions does tell me that it has informed the affected brands, and that it is leaving it up to the affected brands to contact their exposed customers about their data being breached, as well as inform the Information Commissioner’s Office (ICO)."

The revelation does come after the strict European data privacy laws GDPR have come into effect which means the companies failing to comply could face significant fines of up to €20 million or 4% of their annual turnover - whichever is higher.

None of the brands involved have issued public statements or appear to have informed customers of the data leak so far.