MyFreedomSmokes was hacked!

[CliffCavin]

Anybody who has made a purchase from MyFreedomSmokes in the past few months needs to consider closing your credit card. Perhaps other vendors use this same payment processor. It looks like the bad guys got away with all the info, including card numbers as well as the 3 digit card verification numbers, for a considerable period of time.

This is the email I received:
=======================================
May 26, 2017

Dear Customer,

My Freedom Smokes recently became aware of a potential security incident that may have affected the personal information of individuals who made purchases on myfreedomsmokes.com. We are providing this notice as a precaution to let you know about the incident and to call your attention to some steps you can take to protect yourself. We sincerely regret any concern this may cause you.

What Happened
Although the incident is still under investigation, it appears that between approximately March 7, 2017 and April 25, 2017, an unauthorized individual was able to obtain access to portions of our website and insert malicious code that was designed to capture payment information provided in connection with a purchase.

What Information Was Involved
We believe that the incident could have affected certain information (including name, address, email address, telephone number, payment card account number, expiration date, and card verification value (CVV) of individuals who made a purchase on the website. According to our records, you made a purchase using a payment card during the relevant period and your information may be affected. Please note that because we do not collect sensitive information like Social Security numbers for standard payment card transactions, this type of sensitive information was not affected by this incident.

How We Are Responding
My Freedom Smokes takes the privacy of its customers very seriously, and we deeply regret that this incident occurred. We took steps to address and contain the incident promptly after it was discovered, including an internal investigation into the incident and communicating with the vendor who hosts and operates our website to learn more about what occurred. Further, we have retained an internationally recognized cyber security and digital data forensics firm to assist us in identifying the problem, fixing it, and preventing it from happening again. Also, note that well before this incident My Freedom Smokes moved to a tokenization system to better protect customer information.

What Can I Do
We do not believe that exposure of your payment card number is likely to result in identity theft. We recommend that you review payment card account statements promptly and carefully in order to identify any discrepancies or unusual activity. If you see any suspicious activity, you should immediately notify the issuer of the payment card and, if warranted, to law enforcement or regulatory authorities.

We are including with this letter an attachment listing additional steps you may wish to consider taking if you ever suspect that you may be the victim of identity theft. We are providing this information out of an abundance of caution, even though a loss of payment card information can only result in fraudulent charges, for which you would not be liable.

We take the security of your information very seriously, and we regret any inconvenience or concern this incident may cause you. If you have any questions or concerns about this incident, please do not hesitate to contact us at 1-800-955-9753 at any time of the day or night.

Sincerely,
Joe Joyal
Freedom Smokes, Inc.

 

[Tonee N]

I didn't receive the email but my last order from them was on May 11th but since then my bank has already sent me a new card .
Thanks for sharing this, it means alot[emoji106]

Sent from my SAMSUNG-SM-G870A using Tapatalk

 

[bussdriver]

My Freedom Smokes is hopefully a reputable company; many people here have dealt with them. But if you head for the archives, you will find their name posted time and time again over the past years. I understand that anytime your card is used anywhere you are open for hacking, but it seems that this company has been repeatedly tagged over and over and over again.

Let the buyer beware.

 

[David Wolf]

Second time this has happened with MFS from my research. I had a card compromised shortly after an order a few months ago and had to change cards. They have been reliable on orders but this is Unacceptable. I think someone should investigate if this is an inside job.

 

[Bonskibon]

I'm weary of seeing incidents with this company. I have ordered from them, and will only do so with a prepaid card as I do with all my online transactions. I have ordered during the time frame the email states, but no longer have the card (prepaid) I used, but this is stressful for anyone who uses a CC, or debit card for purchases.

 

[Eskie]

MFS is also required under law to provide for free credit reports every 6 months for an I'm not sure exactly how long, maybe 1 year, to all customers potentially affected. That's a Federal regulation for any company which has their business hacked and customer info taken.

 

[somdcomputerguy]

My last purchase from them was this past mid-February, but I'll monitor my CC usage a few more times a week than I have been for the last couple years. MFS is one of the few online vendors that I deal with occasionally, and I must stress that I have had no issues of any kind with any of them..

 

[TJVapes]

I didn't receive an email from MFS. I did have purchases in that timeframe, and my CC company sent me a new card due to a merchant I used being compromised. I hope they have it fixed because I ordered from them again before I realized why I received a new card. I'm not exactly firing on all cylinders these days

 

[CliffCavin]

I am glad that MyFreedomSmokes at least came clean and notified customers. I just cancelled/reissued my credit card this morning. Also, there were no fraudulent charges made yet, so that is a plus.

 

[David Wolf]

I'm weary of seeing incidents with this company. I have ordered from them, and will only do so with a prepaid card as I do with all my online transactions. I have ordered during the time frame the email states, but no longer have the card (prepaid) I used, but this is stressful for anyone who uses a CC, or debit card for purchases.

I now use a prepaid card as well for online orders and keep a minimal balance on it, my bank charges me no fees for it

 

[mattiem]

Anybody who has made a purchase from MyFreedomSmokes in the past few months needs to consider closing your credit card. Perhaps other vendors use this same payment processor. It looks like the bad guys got away with all the info, including card numbers as well as the 3 digit card verification numbers, for a considerable period of time.

This is the email I received:
=======================================
May 26, 2017

Dear Customer,

My Freedom Smokes recently became aware of a potential security incident that may have affected the personal information of individuals who made purchases on myfreedomsmokes.com. We are providing this notice as a precaution to let you know about the incident and to call your attention to some steps you can take to protect yourself. We sincerely regret any concern this may cause you.

What Happened
Although the incident is still under investigation, it appears that between approximately March 7, 2017 and April 25, 2017, an unauthorized individual was able to obtain access to portions of our website and insert malicious code that was designed to capture payment information provided in connection with a purchase.

What Information Was Involved
We believe that the incident could have affected certain information (including name, address, email address, telephone number, payment card account number, expiration date, and card verification value (CVV) of individuals who made a purchase on the website. According to our records, you made a purchase using a payment card during the relevant period and your information may be affected. Please note that because we do not collect sensitive information like Social Security numbers for standard payment card transactions, this type of sensitive information was not affected by this incident.

How We Are Responding
My Freedom Smokes takes the privacy of its customers very seriously, and we deeply regret that this incident occurred. We took steps to address and contain the incident promptly after it was discovered, including an internal investigation into the incident and communicating with the vendor who hosts and operates our website to learn more about what occurred. Further, we have retained an internationally recognized cyber security and digital data forensics firm to assist us in identifying the problem, fixing it, and preventing it from happening again. Also, note that well before this incident My Freedom Smokes moved to a tokenization system to better protect customer information.

What Can I Do
We do not believe that exposure of your payment card number is likely to result in identity theft. We recommend that you review payment card account statements promptly and carefully in order to identify any discrepancies or unusual activity. If you see any suspicious activity, you should immediately notify the issuer of the payment card and, if warranted, to law enforcement or regulatory authorities.

We are including with this letter an attachment listing additional steps you may wish to consider taking if you ever suspect that you may be the victim of identity theft. We are providing this information out of an abundance of caution, even though a loss of payment card information can only result in fraudulent charges, for which you would not be liable.

We take the security of your information very seriously, and we regret any inconvenience or concern this incident may cause you. If you have any questions or concerns about this incident, please do not hesitate to contact us at 1-800-955-9753 at any time of the day or night.

Sincerely,
Joe Joyal
Freedom Smokes, Inc.

I truly do wish they could figure out what is going on. This letter could be a carbon copy of the one I got back in 2015 after they got hacked. Sadly I got bit that time.

If I were a conspiracy theorist I might think a competitor is trying to put them out of business.

 

[numsquat]

I now use a prepaid card as well for online orders and keep a minimal balance on it, my bank charges me no fees for it

Do the same with Bluebird. Never have more than $10 on the card until I'm ready to buy. Only buy online from places that take Amex or Paypal.

Never bought from them before, almost ordered some nic yesterday but got busy with other things, still could today though. Not worried about the order as switching cards on Bluebird when compromised is pretty easy. In fact been using Amex for ordering online for 15+ years and they have been great for online protection in my experience.

 

[Bad Ninja]

This is a security issue.
This is not the first time MFS has had CC fraud issues.
In fact, there have been multiple threads here about it over the past few years.
Every few months one pops up.

There is no way I would ever order from them.

Too many other sites that wont compromise your information to waste a second on them.

 

[bellastarr]

Second time this has happened with MFS from my research. I had a card compromised shortly after an order a few months ago and had to change cards. They have been reliable on orders but this is Unacceptable. I think someone should investigate if this is an inside job.

Wow, they have been hit over and over again (more than twice, this is just the second time I've seen them actually admit it) during the last three years I've been vaping. I used to order from them a lot, but after being hit three times over a 2 year period I stopped ordering from them.. Haven't had a problem since then with ANY other vendors and I place a few hundred dollars worth of vape orders a month.

 

[David Wolf]

This is a security issue.
This is not the first time MFS has had CC fraud issues.
In fact, there have been multiple threads here about it over the past few years.
Every few months one pops up.

There is no way I would ever order from them.

Too many other sites that wont compromise your information to waste a second on them.

I've ordered from them many times with good service and no issues until this post reminded me that I had ordered from MFS shortly before my card was hacked several months ago. At first I suspected a company in china since it was the first time I had ordered from them.. sorry China
I also didn't get that email notice ...

 

[drysprocket]

This is unreal....again? I got hacked last time, at least a year ago, and they did nothing about it. For it to happen again is beyond words.

I found out last time by simply searching the name of the fraud charge on my bank account, and an entire thread came up online about people putting the pieces together that it was them.

Stay far, far away folks. This is either an inside job, or incompetence at a level rarely achieved by any business.

 

[zoolander3003]

Ordered on 4/2. $350+ fraudulent AT&T charges shorty after. Bank took care of it and re-issued card. Now I know why .. thanks.

 

[Beamslider]

Why are they storing all that information? That's fishy to begin with. They only the need the Authorization number for the charge from the bank to guarantee they get paid. They should never under any circumstances store the 3 digit verification code and shouldn't even store the cc number unless you want to keep it on file, then make you re-enter the 3 digit number whenever you use it. Storing the 3 digit verification code is probably a violation of the user agreement they have with credit card company.

Also some credit cards allow you to set up a temporary number and expire date to use on line. Others have a one time use number. More pain to use as you have to log in to credit card company and get the temporary number but safer from hacking.

 

[glasseye]

I didn't get the email either, even though I purchased from them in that time frame. Already have a new card due to 2 fraudulent charges for Lyft rides in San Fran, where I've never been. So yeah, good to know. Thanks @CliffCavin

 

[Eskie]

Just last week I got a call from my bank asking if I just tried to order $3,000 of stuff from Neiman Marcus. The answer? No, I didn't. Had a new card the next day.

Thing is, that credit card is never used for online purchases, only in person stuff. Best we can figure is someone mounted a skimmer somewhere and I didn't spot it when I swiped my card. They're getting better and better at finding ways to steal your money.