Online daily dealing shopping site catchoftheday.com.au has written to its customers to advise them that some of their details may have been compromised ... three years ago.

Catch of the day is an Australian retail site listing items available for purchase at reduced prices for one day only, following a trend started by sites like Woot and Zazz.

Yesterday, 18th July 2014, Catch of the Day wrote to its users to advise them "data security is very important to us."

As security is important to Catch of the Day - which we know, because the email tells us so - the site wishes its users to be aware that "an illegal cyber intrusion" occurred which targeted Catchoftheday and other online retailers. The email states this intrusion "compromised names, delivery addresses, email addresses and hashed (encrypted) passwords."

The email states "We do not store a full credit card number" but elsewhere states "In some cases credit card data was compromised."

As such, it is unclear for certain what credit card information may have been compromised, but the email states "At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards."

The email notes due to the compromised email addresses and passwords it is prudent for users to change passwords on any other websites where they are using the same email address and password combination.

However, when exactly did this breach occur? The email notification was 18th July 2014. The email states the intrusion occurred on 7th May 2011. That's not 7th July 2014. It's not even 7th May 2014. It's 7th May 2011.

Despite asserting "data security is very important to us" Catch of the Day waited three years before informing users their details had been compromised.

The email advocates "If you have not changed your password on Catchoftheday.com.au since 7 May 2011, we advise you to change your password."

The email also states "It is always good practice to have unique passwords for every website that you use. If you used the same password for Catchoftheday.com.au as other websites in 2011 we recommend that you change all of those passwords as well."

What the email does not say is how users can go backwards in time to change their passwords on other sites and protect themselves from potentially three years' worth of vulnerabilities on other web sites.

It is not difficult to find an example online already: on Apple's support forums is a post dated May 27th 2014 where user kkneufeld talks about their Apple devices having been compromised and wants to work out how. From discussion, other Apple users suggest this person may have used the same email address and password combination elsewhere. kkneufeld responds, "I know it's unlikely, but the other account I had with the same details as my Apple ID was my Catch of the Day account."

It turns out not only is it likely, but had user kkneufeld known their details had been compromised in 2011 they could, and presumably would, have changed their Apple password well prior to having their Apple devices compromised.

The email is clear; the breach occurred in May 2011 and Catch of the Day is emailing customers in July 2014 to advise them - because "data security is very important."

The email is clear; Catch of the Day has not suddenly discovered a breach which occurred back in time. It knew of the breach at the time. It informed banks and police, according to the email, but waited three years to advise customers.

An official comment has been requested from Catch of the Day.

I spoke to a Catch of the Day representative and asked "You sent an email out yesterday advising of a hacking incident in 2011. Why did you wait three years to tell your customers their details may be at risk?" The response was "We apologise for this inconvenience."

I asked further questions; please read on for my Q&A.

Q: Why did you not advise customers at the time of the hacking? Why wait three years to tell them to change passwords?

A: We completely understand how important your account information is. That is why the moment we have identified this incident is still a threat we immediately act upon it by notifying our customers.

Catch of the Day continued: "Our security networks are continually evolving and have undergone major upgrades to keep in line with industry standards and best practices. We have better technology, better procedures and a bigger team dedicated to ensuring your experience with us is safe and secure. We regularly undertake external reviews and audits to ensure that our sites and your data are as secure as possible."

Q: When did you realise there was a breach? According to your email you realised in 2011. Or did you only realise this week?

A: At the time, the incident was reported to relevant banks and card companies, whom enacted their own fraud prevention measures which included cancelling cards.

Q: Did anybody think at any point they should tell customers to change passwords, at the time? Why wait three years?

A: That is a good question David and it is a valid reason for your inquiry. To preempt and avoid potential problems because of this we recommend you to change your password. Also, as stated on our advisory We do not store a full credit card number, and payments are processed through a third party bank.

Q: How are passwords stored on your system? Is it true that email addresses and passwords were compromised?

A: Customers passwords are stored securely on our database. We follow a strict structure for account security.

Q: Is there any risk that if, say, the email address and password used for Catch of the Day was also the email address and password used for, say, iTunes that someone could have had their iTunes account breached in the last three years as a result of this intrusion?

A: That is a good example. That is why usernames and passwords should be unique. By the way, have you changed your password already? Please change it. I just want to let you know that Catch is here to safeguard and ensure our customers security. :)

Q: Except when it comes to telling them of breaches, right? ;)

A: I understand how alarming this is. I just want to assure you we are doing our best to stay on top of things.

So, that is the situation. If you have or had a Catch of the Day account, and joined prior to 7th May 2011, you should consider carefully where else you have used that same email address and password and take appropriate steps.

It is also prudent to look into password management tools like Keepass which can provide a secure, unique, password for every web site you use. The problem which has happened here is in no way unique to Catch of the Day, though customers ought rightly to find it concerning that it took so very long for Catch of the Day to actually make customers aware of the problem. This happened despite rhetoric that "data security is important to us."

UPDATE: Catch of the Day representatives knew at least as far back as February 2012 that customers were finding something fishy when they got spam on email addresses they only used with Catch of the Day. Yet the company continued to choose not to disclose the breach. Read more here.