Credit card info stolen in a hack of Strat's site.

i had several small bills run up on my credit cards two months in a row...one was from amsterdam and the rest from california....now i buy $100 credit card and just use that...so they don't get much if they use it

Reposting this from another thread for visibility:

It looks like if you are on the marketing email list, you got notified.

Code: Select all

February 8th, 2021

To our loyal customers-

We are writing to let you know that we just learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  Upon learning this information, we immediately began an investigation and took steps to ensure the security of our website. 

When we complete our investigation, we will be back in touch with additional information, but wanted to send you this notice in the meantime so that you can immediately contact your credit card company and ensure that you are not impacted as well.

In addition, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account. 

We have also engaged a third party to investigate and we will update as we learn more.

Any pre-order previously placed will be sent upon commencement of shipping later this month.

Apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

A couple things on this, only because it's part of what I oversee in my work.

The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.

When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.

SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.

I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.

It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).

I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.

Rob

OK, updating the status on this. Another manager forwarded this to me, he just received it:

Code: Select all

February 10th, 2021

To our loyal customers-

We are writing to let you know that on February 8th, we learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  This happened despite the strict security protocols we maintain at Strat-O-Matic and on strat-o-matic.com   Sadly, we join a long list of companies (large and small) who have had customer information stolen.   However, it is important to note that identities were not stolen, as Strat-O-Matic has no social security or birthdate information for our customers.   We also do not store credit card information (you must re-enter your credit card every time you purchase at Strat-O-Matic).  Despite these precautions, our investigation to date has revealed that hackers were able to intercept credit card numbers inputted into our site for the period from January 5, 2021 through February 8, 2021. 

Our investigation to date indicates this incident only impacts individuals who conducted credit card transactions on our website between January 5, 2021 and February 8, 2021.  The investigation also indicates that this criminal activity has not impacted anyone who used PayPal to pay for purchases on our site, even if the purchase was made with a credit card via PayPal during the relevant time period.

If you used a credit card directly on our site without PayPal between January 5, 2021 and February 8, 2021, we would strongly recommend either canceling the credit card or informing your credit card issuer that your card could be used for fraudulent charges.

On February 8, 2021, we learned of this incident, and immediately took steps to stop any further abuse. First, we began an investigation to review our site and determine if we had been attacked. We also emailed those potentially affected by the incident, suggesting that they check with their credit card companies to ensure they are protected from any unauthorized use of their credit cards. 

We are emailing our entire community today in order to be open with you about the incident and to avoid any miscommunication.   To ensure that this sort of incident cannot recur, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account.   PayPal is one of the industry leaders in customer data, security and privacy.   

Any pre-order previously placed will be sent upon commencement of shipping later this month without any sort of disruption due to this situation.

Our sincere apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

Based on this communication, what likely happened is that their e-commerce platform had a security vulnerability that was exploited. The hackers installed malware that sat on their network undetected, capturing and downloading all data passing through the site. The hackers then take that data and scan for personal information such as, names, addresses, credit cards #s, security codes, user IDs and passwords, and create a database of information from it. The hackers then immediately sell and use the credit card info, but they also match all of the data against a database of information that they have accumulated from other hacking activity (that they have done, purchased, traded for) and use it for identity theft.

SOM stated that SOM doesn't store the information on their platform (sounds correct) and that there isn't enough personal data from this specific incident for the hackers to steal someone's identity (also sounds correct), but there is still a risk for identity theft since the data is now exposed and distributed. The malware method used here captured data as it was transmitted, so even though it isn't "stored", it was still captured.

Here some links on what to do if your credit card is stolen, they all basically say the same thing:
Lifelock - https://www.lifelock.com/learn-credit-finance-what-to-do-if-you-lose-a-credit-card.html
CNBC - https://www.cnbc.com/select/what-to-do-if-your-credit-card-is-stolen/
Experian - https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/credit-card-fraud-what-to-do-if-you-are-a-victim/

Credit card fraud can be very costly depending on the policies of the credit company. Amex is great with fraud protection, other's not so much. So depending on the card you use on the web, your financial exposure will vary, it's good to know how each of your credit card companies handle fraud.

Hope this helps,

Rob

Rob, thanks for the info. Appreciate you taking the time to share your knowledge.

Emailing the entire community, Nope. I still haven't received a single email regarding this breach. That's what i'm most disappointed about. No email, and still no mention of the breach on Strat's web site(s).

Maybe by "entire community" they mean just those who have checked to receive e-mails at "Your Team" >>>> "Team Preferences." I don't recall if an e-mail is required to be submitted when one initially signs up for SOM.

Everyone who uses their site to purchase products should have an e-mail on file though. Those people especially should be notified.

Why not put a notice at the top of Team pages like they do for other big announcements?

Maybe by "entire community" they mean just those who have checked to receive e-mails at "Your Team" >>>> "Team Preferences." I don't recall if an e-mail is required to be submitted when one initially signs up for SOM.

Everyone who uses their site to purchase products should have an e-mail on file though. Those people especially should be notified.

Why not put a notice at the top of Team pages like they do for other big announcements?

It only took two days, but NOW there is an announcement at the top of the 365 game page.

I bought a team using Pay Pal but I'm not seeing a credit. It states it may take a few moments to post the transaction. Has anyone else seen this and if so how long does it take to see the credit to start your new team? I have never had to wait. Thanks

I bought a team using Pay Pal but I'm not seeing a credit. It states it may take a few moments to post the transaction. Has anyone else seen this and if so how long does it take to see the credit to start your new team? I have never had to wait. Thanks

I have used paypal to pay for the last few years and never had to wait. Not sure why you are having an issue.

Yeah, I have no idea. I keeping logging out and In to see if the credits will appear and nothing.