Lightspeed reported unauthorized access to their cloud POS Retail system and advised customers to change passwords....
The firm also reminded developers using Lightspeed's API that they are required to implement OAuth 2.0 specification for token-based authentication.
Lightspeed, the Montreal-based cloud provider of point-of-sale (POS) services to 38,000 businesses, notified its customers that unauthorized access to Lightspeed's Retail system had been detected, though it stated that it had not found any evidence suggesting customer data had been affected.
"Lightspeed maintains a central database of sales, product and customer information as well as encrypted passwords and API keys," the notification letter read. "In addition, for merchants using the Customer Facing Display, this database contains consumers' electronic signatures. Information contained in these databases was accessed during this incident. However, there is no indication that any specific data, including any personal information, has been taken or used."
"We can confirm that a security incident occurred," wrote Lightspeed's director of public relations, Bradley Grill, in an email to SearchSecurity. He added: "It's worth noting that Lightspeed does not store credit card information, and therefore no cardholder data was compromised in this incident."
As a result of the incident, Lightspeed stated in its letter to customers that new access policies had been introduced to limit access to its production infrastructure and sensitive data, and it added monitoring that would allow it to trap intrusions in real time.
"We have successfully upgraded our infrastructure with a new set of security patches and are working to implement additional layers of security to intercept more advanced attacks."
The cloud POS firm released an upgrade to its Retail API incorporating a full implementation of OAuth 2.0 in August, which, it stated, "will better protect customer data for retailers using in-house and third-party API integrations."
Lightspeed said that all integrations would be required to migrate to OAuth 2.0 to maintain API access over coming months, though for now, the existing methods of connecting to Lightspeed's API would continue to work.
Even though the incident did not appear to compromise customer data, it was a warning sign that businesses should take care when considering moving business to a cloud POS.
"You're entrusting your accounting data to someone else -- it's best not to do so blindly," said ESET security researcher Lysa Myers. "Before selecting a vendor, it's important to have a thorough understanding of how exactly they protect data in their care. What do they encrypt, how and when do they encrypt it? Do they store your login credentials, or do they salt and hash them? What other security measures do they have in place on their systems? If the data they store are also used for your accounting purposes, do you have backups in place in case something goes wrong with your cloud vendor?"
Find out more about the advantages and disadvantages of using OAuth 2.0.