A vast chunk of the personal data of users of web site Kiddicare has been verified as genuine, with the site managing to hand out free access to the account details of some 794,000 former shoppers. Rather embarrassingly, the leak was triggered by the shop itself, which allowed developers of a prototype redesign to use actual customer data for its experiments.
Kiddicare has assembled a PDF statement on the matter, saying that no credit card data was included in the leak because it farms out all such transaction business to grown-ups, although customers can expect to see their names, delivery addresses, email details and telephone numbers pop up in bulk anonymous paste sites, in vast torrent archives, written on the walls of toilet cubicles, and however else such material is shared these days.
The retailer has also vaguely insulted the hackers, suggesting that users should look out for any unsolicited emails containing "poor grammar or incorrect spelling" and asking for money. Which is pretty much every email these days.
The only noticed attempt to extract money so far has been via unsolicited SMS message asking site users to carry out a survey, as a first step in social engineering out payment details to accompany the contact data. [Hot for Security via BBC]