Security breach with Nicopure Labs

[drthunder]

These letters are being mailed out. If you did not receive it, here is the link. It might be a good idea to check your finances and request a new card with your bank to avoid any future issues. For whatever reason nothing was posted about this issue on the official site. The document was filed on 5/16.

https://oag.ca.gov/system/files/NicoPure Notice_0.pdf?

 

[djmcfar]

I just received that same letter today (Saturday) right after you got yours. I chatted online at Halo and they told me that Nicopure is the parent company. I just checked the credit card that I use there, and so far no bogus charges <fingers crossed>

 

[DaveOno]

Got the letter Saturday as well.

I had my credit card compromised three times in the last 15 months. I'm NOT saying it was due to Halo's security breach. I buy from many vendors. It easily could have been any one of them.

I wish there was another step for online purchases, like a digital check. You put in an order to ACME for $42. You then go to your secure bank site, make a digital check for 42 payable to ACME (after ACME provides an account number. Then you send them your Digi-check number. It'd only be good to ACME for no more than the $42.

It really is a leap of faith that some company could take your CC number and only charge it once, then erase your number. Either online, or even at a fast food place. Convenience has it's price.

The lesson here? Stay vigilant. Check your accounts often. (we caught one, and received a call from the CC the other times). Some people use pre-paid cards, but I use a credit card, either Visa, MC or AMEX. I was not held liable for a cent.

 

[PMDMN]

I received the letter as well. I'm troubled by a number of features of the company's notice campaign which appears principally designed to limit disclosure of the breach as much as possible. In my judgment the company has failed to take any number of cheap and easy steps to advise their customers that their credit card data may have been compromised.

Let's begin with the notice itself. It is mailed in a window envelope that indicates that the sender is "Return Mail Return Processing Center," a PO Box in Portland, OR. It looks like junk mail and I suspect that many recipients will toss it without opening it.

If you do open the notice you see that it was transmitted by Nicopure Labs, LLC. If, like me, you've purchased juice on the HaloCigs.com website with a credit card you will never have heard of Nicopure Labs. Your credit card statement will show that your payment was made to Halocigs and not to Nicopure Labs. Contrary to the information provided to the earlier poster, Nicopure Labs is not the parent company of Halo. Halo is a d/b/a for Nicopure Labs and not a corporate entity (see, Privacy Policy on Halocigs.com). I think it's reasonable to assume that some recipients of the notice will not make any connection between Nicopure Labs and Halo and will disregard the notice for that reason.

In my opinion the notice doesn't comply with California's statutory requirements that the notice provide "a description of the breach incident" and "the date range in which it was believed to have occurred." No time frame information is provided at all and the "breach description" is simply a statement that they've received reports from customers about fraudulent activity on their credit cards shortly after the customer used the card to make a purchase "on our website." Note: the website they are referring to is presumably halocigs.com and not nicopure.com. Is this fraudulent activity the result of a "breach incident?" The letter doesn't say. Was there a breach incident? The letter doesn't say, though it vaguely, sort of, implies that there may have been a breach incident. One possibility is that the company believes there has been a breach but doesn't know what the f**k has happened yet. Alternatively, they may have a pretty good idea about what happened but simply don't want to tell their customers.

If the company wanted to notify its customers of the breach the notice should have indicated that it was from Halocigs. The halocigs website should also contain a prominent notice of the breach. Again, because the company has failed to provide any sort of information describing the breach incident it's impossible to know what steps should be taken. Do their servers still have my credit card info on them? Should I change the password for my account? Would changing the account password make any difference or are their systems still compromised?
Is the data breach the result of their failure to encrypt their customer data?

 

[Racehorse]

I received the same letter. But I was already aware of "software problems" there as at least 4-5 of my reviews, which you're supposed to get points for, were not registering, and I had to call and write and provide screen shots of them to get my points.

After that, I pretty much decided not to use them anymore.

I now set up a separate bank checking account, with a debit card attached to it, and only move the EXACT amount of money for online purchase at the time I need it. This account is not linked to any other accounts I have. This is the way to do it.

I have been buying clothing and shoes online for over 15 years from top older companies like LL Bean, REI, and The North Face, and never been breached. Yet in the ecig stuff, I've been notified of breaches either by the fraud protection team at my bank, or via notice from the vendor, at least 6 times in 3 years. That leads me to believe that many ecig companies don't have network admins /credit card processors who understand security measures. They probably don't even have hardware firewalls.

I don't shop again with companies who expose me to breaches. TJ Max, etc.

Let's begin with the notice itself. It is mailed in a window envelope that indicates that the sender is "Return Mail Return Processing Center," a PO Box in Portland, OR. It looks like junk mail and I suspect that many recipients will toss it without opening it.

I found this offensive as well.

If you do open the notice you see that it was transmitted by Nicopure Labs, LLC. If, like me, you've purchased juice on the HaloCigs.com website with a credit card you will never have heard of Nicopure Labs. Your credit card statement will show that your payment was made to Halocigs and not to Nicopure Labs. Contrary to the information provided to the earlier poster, Nicopure Labs is not the parent company of Halo. Halo is a d/b/a for Nicopure Labs and not a corporate entity (see, Privacy Policy on Halocigs.com). I think it's reasonable to assume that some recipients of the notice will not make any connection between Nicopure Labs and Halo and will disregard the notice for that reason.

Ditto. Yet the last paragraph of the letter says "caring for our customers is a top priority....."

Sure doesn't feel that way, does it.

All your points are valid.

Esp. that there is no announcement on the website where customers actually go to purchase stuff.

 

[PMDMN]

Thanks Racehorse. I think that a lot of e liquid vendors are mom and pop operations and their small scale, limited capital, and limited IT resources make their systems potentially more vulnerable to a breach. Nicopure Labs is currently privately held, as a consequence, little public information is available concerning their revenue and the like. However, it seems likely that they're in the top five or ten US manufacturers of e liquid and related products and their annual revenue is likely measured in millions if not tens of millions of dollars. I suspect they're looking closely at IPO possibilities to maintain their recent rapid growth and expansion and that this breach is seen internally as a small or large headache in the context of their debt or equity financing plans. Unlike the vape shop down the street, this company appears to have substantial legal and regulatory compliance resources and has, in fact, clearly devoted substantial resources to the breach notice that we both received. It's still my opinion that they're trying to meet their legal obligations on the cheap and, if they haven't cut corners in the process, they've shaved them too fine for my taste.

 

[retired1]

Should I change the password for my account? Would changing the account password make any difference or are their systems still compromised?

Any system compromise pretty much requires the user to change their passwords on any site they use that particular password, not just that affected site.

It's unlikely that their site still contains the vulnerability that allowed unauthorized access.

 

[machinestatic]

Hello old friends. I haven't logged in in months, but I received the same letter in the mail as well. So of course I rushed to the Halo subforum, and lo and behold, I found this thread. Bummer.

Credit card activity website checked for anything unusual; nothing found: check.
Credit card issuer called, card cancelled, card with new number requested: check.
Halo website password changed: check.
Hesitation to place another order: check.

Good luck out there.

 

[drthunder]

I still don't understand how nothing has been said from Halo regarding this. It has been a week. Whenever something related happens with other companies notices are always posted to protect the customers. Heck even a forum post would suffice but we can't even get that. It's almost like they wanted this swept under the rug.

We don't buy from the Nicopure website, we buy from the Halo website. That is why we got the mail. They share the same address as well, so anyone would just assume they are the same entity. I remember back when you could just buy your favorite juice, pay for shipping and be done with it. Now they have weird pricing bundle packs that make ordering confusing, security issues and total silence whenever an issue arises. I don't know man.

The best part is when this occurred they had a sale and sent out multiple emails per day promoting it, regardless of the fact that customer financial information may have been compromised. I am truly upset with them over this and feel like something needs to be done to win back customer loyalty.

 

[puffon]

MFS had a breech in 2015. They send me an e-mail 3-1/2 months after it happened.

 

[DaveOno]

I still don't understand how nothing has been said from Halo regarding this. It has been a week.

A Halo representative has not posted to the ecf forum since December 2016.

It used to be nice, getting heads up on new products and flavors. Not to mention the wildly popular 12 Days of Halo during Decembers, the Halo-ween contest, and The Number's Game.

I hear Halo has a presence on Facebook, but many of us don't go there.

(I do miss Cinder Ella.) ;(

 

[J Lee]

Agree with all of the above, and Halo is not forthcoming. I was hacked (what a mess), suspected Halo and asked for alternative way to pay. No other way, was response from Halo. With no proof, I have reordered several times by now. Saturday I got the letter. I'm done w/Halo, anyone know of acceptable substitute that takes pay pal or some other more secure way of paying?

 

[SABOTEUR]

I monitor my credit card accounts fanatically, so I would have already been aware of any unauthorized charges. Data breaches have become commonplace, so that didn't surprise me either. What bothered me was receiving mail from "Return Mail Return Processing Center". If you're informing me about potential unauthorized credit card use, what does returned mail have to do with anything? Then you force me to GOOGLE "Nicopure" to discover this alleged security breach may be Halocigs related. Why so shady? I only vape Halo products and it bothers me greatly that the company I buy all of my juice from handles this possible security breach in such a bizarre manner.

Sent from my Z958 using Tapatalk

 

[fstanek]

I got the same letter.

Honestly, after reading it, I doubt that Halo has any clue as to what has happened. They'd probably be required to disclose more info, but since they don't know, they don't have any info to disclose.

The breach could have happened at Halo, or it could have happened at their payment processor, or it may not have happened at all. I guess I'm kind of numb to this kind of stuff. Every place you go to has a chance of a security breach, whether you're shopping online or local.

Hopefully, if Halo did have a security breach, they'll be able to figure it out and fix it. To me, it sounds like they're not even sure if they were breached or not.

I strongly disagree w/ the post above that encourages people to open a bank account and use a debit card for online orders. Credit cards tend to have a lot more protection for fraudulent transactions. I've been shopping online for around 20 years, and I've never had an issue where the credit card would not remove a fraudulent purchase (and it has happened probably 20+ times).

Finally, I'm not sure if this is related to the breach or not, but Halo seems to have their best sale ever this week (much better than black friday sales). I just got 30 30ml bottles of Tribeca for $10/bottle. I know they typically do Memorial Day promotions, but maybe they're having a bigger one this year to attempt to build up trust.

 

[C.C. 95]

I just got (basically) The SAME letter from My Freedom Smokes. (I also got the one from Halo/Nicopure).
What the hell?!
Here is the email:

Spoiler

Dear Customer,

My Freedom Smokes recently became aware of a potential security incident that may have affected the personal information of individuals who made purchases on myfreedomsmokes.com. We are providing this notice as a precaution to let you know about the incident and to call your attention to some steps you can take to protect yourself. We sincerely regret any concern this may cause you.

What Happened
Although the incident is still under investigation, it appears that between approximately March 7, 2017 and April 25, 2017, an unauthorized individual was able to obtain access to portions of our website and insert malicious code that was designed to capture payment information provided in connection with a purchase.

What Information Was Involved
We believe that the incident could have affected certain information (including name, address, email address, telephone number, payment card account number, expiration date, and card verification value (CVV) of individuals who made a purchase on the website. According to our records, you made a purchase using a payment card during the relevant period and your information may be affected. Please note that because we do not collect sensitive information like Social Security numbers for standard payment card transactions, this type of sensitive information was not affected by this incident.

How We Are Responding
My Freedom Smokes takes the privacy of its customers very seriously, and we deeply regret that this incident occurred. We took steps to address and contain the incident promptly after it was discovered, including an internal investigation into the incident and communicating with the vendor who hosts and operates our website to learn more about what occurred. Further, we have retained an internationally recognized cyber security and digital data forensics firm to assist us in identifying the problem, fixing it, and preventing it from happening again. Also, note that well before this incident My Freedom Smokes moved to a tokenization system to better protect customer information.

What Can I Do
We do not believe that exposure of your payment card number is likely to result in identity theft. We recommend that you review payment card account statements promptly and carefully in order to identify any discrepancies or unusual activity. If you see any suspicious activity, you should immediately notify the issuer of the payment card and, if warranted, to law enforcement or regulatory authorities.

We are including with this letter an attachment listing additional steps you may wish to consider taking if you ever suspect that you may be the victim of identity theft. We are providing this information out of an abundance of caution, even though a loss of payment card information can only result in fraudulent charges, for which you would not be liable.

We take the security of your information very seriously, and we regret any inconvenience or concern this incident may cause you. If you have any questions or concerns about this incident, please do not hesitate to contact us at 1-800-955-9753 at any time of the day or night.

Sincerely,
Joe Joyal
Freedom Smokes, Inc.

 

[PMDMN]

Some details of the Nicopure/Halo breach can be found at the website of New Hampshire's attorney general. I tried to post a link but apparently links aren't permitted here. Find it by googling "nicopure data breach." Briefly, malicious code was inserted into their website. They learned about the presence of the malicious code sometime after an April 3rd notice from their payment card processor advising them of fraudulent charges their customer's were experiencing.

The letter indicates, briefly but with some specificity, what happened and when it happened. On the other hand, their notice letter to their customers is a fine example of obscurantism. Can't say why they didn't think they didn't think it appropriate to offer the same information to their customers.

 

[C.C. 95]

Some details of the Nicopure/Halo breach can be found at the website of New Hampshire's attorney general. I tried to post a link but could apparently links aren't permitted here. Find it by googling "nicopure data breach." Briefly, malicious code was inserted into their website. They learned about the presence of the malicious code sometime after an April 3rd notice from their payment card processor advising them of fraudulent charges their customer's were experiencing.

The letter indicates, briefly but with some specificity, what happened and when it happened. On the other hand, their notice letter to their customers is a fine example of obscurantism. Can't say why they didn't think they didn't think it appropriate to offer the same information to their customers.

These are the documents on the site:

Spoiler

 

[Racehorse]

I strongly disagree w/ the post above that encourages people to open a bank account and use a debit card for online orders.

Card is linked to an account that ONLY has the exact amount of the purchase, so it can't be hacked. I order something for $12.03, I move exactly $12.03 into that account. The rest of the time, the account has 1 cent in it, and NO overdraft option.

BTW, my particular bank has *excellent* Fraud Detection Department, and yes, on my debit card. The 3 times somebody has tried to hack me, they caught it before it even hit my account.

A good bank (mine is a small hometown bank that the municipality, the mayor, the sheriff, and all the attorneys use........for a reason. ) will treat you right.