My Freedom Smokes & Unauthorized Transactions

[robrrt]

I placed an order with MFS on 3/10 and was notified of attempted fraudulent charges to my card on 3/19. Luckily, I only had to deal with the inconvenience of no card for a week until it was replaced. Since then, I've been scratching my head over the possible source, so thanks for this thread.

 

[Caro123]

I am extremely new to this forum to any forums actually but is it possible that the issue could be related to an effort to discredit a supplier by those who chose to be very anti vaping. It is just a thought and I do hope the person gets the issue fixed. I too will be watching as I ordered and so far they have been kind.sometimes 9 years working in jails and justice has left me a little more aware than I once was.

 

[puffon]

I am extremely new to this forum to any forums actually but is it possible that the issue could be related to an effort to discredit a supplier by those who chose to be very anti vaping. It is just a thought and I do hope the person gets the issue fixed. I too will be watching as I ordered and so far they have been kind.sometimes 9 years working in jails and justice has left me a little more aware than I once was.

No this is real.
I know it happens, but am upset MFS just sent the e-mail 5 weeks after the data breech.
E-mail I just received yesterday:

"April 15th, 2015
Dear Customer,

We are contacting you as a precautionary measure to let you know about a data security incident that might affect your customer information.
Potential Data Security Breach

We identified that between approximately February 11, 2015 and March 16, 2015, electronic data may have been improperly obtained through unauthorized access to the website for MyFreedomSmokes ("MFS"). Specifically, on March 16, 2015, we discovered unauthorized code on the website and, although the code was encrypted, we believe that this code may have been used to obtain customer data as customers entered the information into the site's shopping cart while making a purchase on the website. This data could include customer name, physical address, email address, telephone number, credit card number, expiration date and card verification value ("CVV") number, if provided by the customer while placing an order with MFS through the website during the time period mentioned above. As soon as this code was discovered, MFS removed the code and began immediate efforts to restore the security of the website, secure customer information and determine the scope of the unauthorized access and how it occurred. We also retained the services of a nationally recognized cyber security firm and engaged in enhancements to the security of our website. MFS does not retain full credit card numbers or CVV numbers of our customers. Further, although MFS' website uses encrypted SSL links with customers and although MFS' card processor gateway during this period also was encrypted, MFS has changed its process for taking orders online and has moved to an enhanced system to protect customer information.



Although we have no evidence confirming that illegal use of any personal information has occurred or that any material harm will result to any customer as a result of this incident, some customers have reported fraudulent charges on their payment cards during the period noted above. Therefore, we want to alert you this risk and inform you of actions that you can take to help protect against identity theft."

If you have made purchases during these dates, be aware........

 

[08Cayenne]

I feel the same way, I even contacted them about this with no reply from them. I see how they care about their customers. I didn't receive any notification though. Pisses me off.

No this is real.
I know it happens, but am upset MFS just sent the e-mail 5 weeks after the data breech.
E-mail I just received yesterday:

"April 15th, 2015
Dear Customer,

We are contacting you as a precautionary measure to let you know about a data security incident that might affect your customer information.
Potential Data Security Breach

We identified that between approximately February 11, 2015 and March 16, 2015, electronic data may have been improperly obtained through unauthorized access to the website for MyFreedomSmokes ("MFS"). Specifically, on March 16, 2015, we discovered unauthorized code on the website and, although the code was encrypted, we believe that this code may have been used to obtain customer data as customers entered the information into the site's shopping cart while making a purchase on the website. This data could include customer name, physical address, email address, telephone number, credit card number, expiration date and card verification value ("CVV") number, if provided by the customer while placing an order with MFS through the website during the time period mentioned above. As soon as this code was discovered, MFS removed the code and began immediate efforts to restore the security of the website, secure customer information and determine the scope of the unauthorized access and how it occurred. We also retained the services of a nationally recognized cyber security firm and engaged in enhancements to the security of our website. MFS does not retain full credit card numbers or CVV numbers of our customers. Further, although MFS' website uses encrypted SSL links with customers and although MFS' card processor gateway during this period also was encrypted, MFS has changed its process for taking orders online and has moved to an enhanced system to protect customer information.



Although we have no evidence confirming that illegal use of any personal information has occurred or that any material harm will result to any customer as a result of this incident, some customers have reported fraudulent charges on their payment cards during the period noted above. Therefore, we want to alert you this risk and inform you of actions that you can take to help protect against identity theft."

If you have made purchases during these dates, be aware........

 

[Robert Cromwell]

I have bought from MFS 4 times this year and no problems so far. Good to deal with.

 

[kartoffelfaust]

No this is real.
I know it happens, but am upset MFS just sent the e-mail 5 weeks after the data breech.
E-mail I just received yesterday:

"April 15th, 2015
Dear Customer,

We are contacting you as a precautionary measure to let you know about a data security incident that might affect your customer information.
Potential Data Security Breach

We identified that between approximately February 11, 2015 and March 16, 2015, electronic data may have been improperly obtained through unauthorized access to the website for MyFreedomSmokes ("MFS"). Specifically, on March 16, 2015, we discovered unauthorized code on the website and, although the code was encrypted, we believe that this code may have been used to obtain customer data as customers entered the information into the site's shopping cart while making a purchase on the website. This data could include customer name, physical address, email address, telephone number, credit card number, expiration date and card verification value ("CVV") number, if provided by the customer while placing an order with MFS through the website during the time period mentioned above. As soon as this code was discovered, MFS removed the code and began immediate efforts to restore the security of the website, secure customer information and determine the scope of the unauthorized access and how it occurred. We also retained the services of a nationally recognized cyber security firm and engaged in enhancements to the security of our website. MFS does not retain full credit card numbers or CVV numbers of our customers. Further, although MFS' website uses encrypted SSL links with customers and although MFS' card processor gateway during this period also was encrypted, MFS has changed its process for taking orders online and has moved to an enhanced system to protect customer information.



Although we have no evidence confirming that illegal use of any personal information has occurred or that any material harm will result to any customer as a result of this incident, some customers have reported fraudulent charges on their payment cards during the period noted above. Therefore, we want to alert you this risk and inform you of actions that you can take to help protect against identity theft."

If you have made purchases during these dates, be aware........

Puffon, thank you for posting that. It will help others in the same situation. While companies prefer to keep data breaches quiet until they know for sure what happened, and what the scope was, I agree this was a significant delay. However, its likely on par with other major retailers such as home depot and target.

Interesting that the lowest probability consensus item at the beginning of the thread - malicious code in the web platform - is what happened. They do not indicate if this was an external breach - the exploit was executed against the public facing server - or if someone internal or on the web host side, might have been involved.

 

[08Cayenne]

So you had already learned of the problem when you posted this. You worded this post quite well. You should have followed through with the last sentence. Do you clowns have any idea the hassles of having your credit card info stolen? Unscrupulous

Thank you for moving this to our forum so that we could respond.

From time to time MFS, like most online businesses, receives customer service inquiries regarding potential fraudulent transactions relating to our site. These inquiries normally amount to 1/5 of one percent (0.002) in relation to our overall order volume and upon investigation, they generally turn out to be unrelated to MFS. Earlier this week we noticed an increase in this number to 4/5 of one percent (0.008) and, while still a very small number, we consider anyone getting their info stolen a serious matter and therefore began researching the issue further.

At this point our web hosts and developers have ensured us that there are currently no risks to transactions placed on our site. We are continuing to investigate whether there were any potential vulnerabilities either on our site, at our payment gateway (Authorize.net), or with our credit card processor that may have previously existed that could have put our customers’ information at risk. We are also forwarding feedback and comments posted here to our security team so that they can further investigate any potential threats mentioned.

We definitely take these issues very seriously and want people to feel safe transacting with us without fear of their information being compromised. We will post any significant updates related to this issue in this thread as we learn new info.

 

[AndrewH]

So you had already learned of the problem when you posted this. You worded this post quite well. You should have followed through with the last sentence. Do you clowns have any idea the hassles of having your credit card info stolen? Unscrupulous

My thoughts exactly. I got hit for $200 (fortunately got most of it back) but I'm really not sure if I'll be able to go back to ordering from MFS. I'll probably wait a bit and see if any more problems arise before doing so. On a side note, I never received that email that was posted above either.

 

[AlexStiff]

I am sorry that I was not able to post an update sooner. We are in the process of investigating and notifying all consumers who placed orders on the website during the relevant period. Unfortunately, this takes some time. Here’s what we know.

At this point neither MFS nor the security firm we hired have been able to identify the source of the malicious code. We have only been able to identify the date the code appeared. MFS immediately removed the code and began efforts to determine the scope of the unauthorized access and how it occurred. The investigation is continuing. This code may have been used to obtain customer data as the customer entered information into the site's shopping cart while making a purchased on the website between approximately February 11,2015 and March 16, 2015.

We cannot confirm that any customer information was taken, but as you know, it is not possible to guarantee that online transactions are totally secure. Therefore, if you made an order via our website between February 11 and March 16 your information is at risk and you should take steps to protect yourself against identity theft. Detailed information will be provided in the letter that you will receive, but a good place to start is the FTC publication found at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm. You also can contact credit reporting agencies to put a fraud alert on your credit report. This fraud alert is free and will stay on your credit report for at least 90 days. You can contact the CRAs at:

Equifax
(888) 766-0008
www.alerts.equifax.com
PO Box 740241
Atlanta, GA 30374 Experian
(888) 397-3742
www.experian.com/fraud
475 Anton Blvd.
Costa Mesa, CA 92626 TransUnion
(800) 680-7289
Credit Report, Credit Scores & Credit Checks | TransUnion
PO Box 2000
Chester, PA 19022-2000

Please know that securing your information is a priority. We took immediate steps to investigate the situation, enhance the sites security and comply with each states data breach reporting requirements. Each of these activities takes time and we are completing the process as quickly as we can.


We apologize for any inconvenience or anxiety this may cause you. If you have questions, please call our toll free number 855-705-4246. Thank you for being an MFS customer.

 

[puffon]

Thanks for getting back to us.
Fortunately for me I have not seen any fraudulent activity on my account so far.
However, I have cancelled my card and had another issued.
How about offering those affected (purchased during this time frame) a gift certificate, coupon code etc.
Having a new card issued costs me $10.

 

[mattiem]

Thank you for the update. Unfortunately I was one that apparently got caught in the incident. I caught it quickly as I check my CC transactions very often and was able to stop a charge while it was still pending. Called my CC company and had them cancel that CC and issue a new one with new number.

I know this is the world we live in now but it is still frustrating when it happens

 

[Caro123]

No this is real.
I know it happens, but am upset MFS just sent the e-mail 5 weeks after the data breech.
E-mail I just received yesterday:

"April 15th, 2015
Dear Customer,

We are contacting you as a precautionary measure to let you know about a data security incident that might affect your customer information.
Potential Data Security Breach

We identified that between approximately February 11, 2015 and March 16, 2015, electronic data may have been improperly obtained through unauthorized access to the website for MyFreedomSmokes ("MFS"). Specifically, on March 16, 2015, we discovered unauthorized code on the website and, although the code was encrypted, we believe that this code may have been used to obtain customer data as customers entered the information into the site's shopping cart while making a purchase on the website. This data could include customer name, physical address, email address, telephone number, credit card number, expiration date and card verification value ("CVV") number, if provided by the customer while placing an order with MFS through the website during the time period mentioned above. As soon as this code was discovered, MFS removed the code and began immediate efforts to restore the security of the website, secure customer information and determine the scope of the unauthorized access and how it occurred. We also retained the services of a nationally recognized cyber security firm and engaged in enhancements to the security of our website. MFS does not retain full credit card numbers or CVV numbers of our customers. Further, although MFS' website uses encrypted SSL links with customers and although MFS' card processor gateway during this period also was encrypted, MFS has changed its process for taking orders online and has moved to an enhanced system to protect customer information.



Although we have no evidence confirming that illegal use of any personal information has occurred or that any material harm will result to any customer as a result of this incident, some customers have reported fraudulent charges on their payment cards during the period noted above. Therefore, we want to alert you this risk and inform you of actions that you can take to help protect against identity theft."

If you have made purchases during these dates, be aware........

I am very happy that I did not do so during the problematic time period and I am glad the company notified customers. I am a cross border shopper and I am delighted with the service my freedom smokes provided to me. I will of course monitor my financials any time I order online. Sadly the world is made up of some desperate individuals.

 

[bruiser]

I was also hit by this. I've doing business, off and on, with MFS for around 4 years. It happened the morning after my order to MFS. I check my account every morning, and I saw something I didn't buy. I was at the bank within an hour talking to them. It seems as if the purchase had been made that very morning, about an hour earlier, so I must have caught it as it was being posted. The bank cancelled the card and issued a new one. So far, nothing else has happened.

 

[Sir2fyablyNutz]

I had fraudulent activity on my card on March 19 in the middle of the night. I found out the bank had cancelled my card (when I tried to use it in Kmart) because they felt the activity was suspicious. I had two purchases from MFS on 2/20 and 3/4.

The end result was I had to cancel my card and have the bank issue a new one. I also had to re set up the automatic bill payments from 4 businesses. At this time I also got a card from the bank, a money card to use for online purchases ($5 a month). I just transfer what I am spending (total figured at checkout before finalizing order) and the money is there immediately to pay for what I am buying. Keeping the money account near empty, I risk to lose very little should it be compromised.

It's an inconvenience to have to do this, but it's also the world we live in.

 

[08Cayenne]

Yea, what a stand up company. After more than a month still not admitting to the problem. I was hurt in this and it could have been avoided. If you would have come out and told the truth, which your still not doing, I could have cancelled the card and only would have to deal with that problem and not the additional problems of having fraudulent charges put on my card. You knew about this before my card was used, again I could have cancelled it if I would have know. I agree with a lot of the comments, this is the credit world that we live in. Unfortunately MFS conducted themselves in a manner to minimize their damage and chose not to care about the damage to their paying loyal customers.

 

[Filthy-Beast]

Everybody needs to understand, that small company's rely on the web hosting and payment providers to be the security experts. Large corporations have internal IT security experts, good ones and the tools they use aren't cheap. Small and Medium size business would go broke trying to keep up.

I work for a major, global, high tech company our security operations room, think NASA type control room, detects and prevents millions of attempted security breaches a month.

I requested a low credit limit card, that I only use online, so if it gets hacked, the damage is limited.

 

[VStarGirl]

My husband and I had our Visa cards hacked twice.First at the end of February and then again in March on the new cards. We're on our 3rd set of cards for the year. I never did receive a notice from MFS for this and now that I've seen this thread, I am pretty peeved as I made at least 4 purchases from them in 3 1/2 months. Luckily, we've had fraud protection on both cards for several years so we didn't lose anything. Four purchases were attempted between $200-300. I've been dealing with MFS for almost 3 years and never had a problem, so I will continue to do business with them.

 

[Wuzznt Me]

There are much bigger things at stake than just credit cards. I would advise everyone that made transactions during that period to keep a tight check their credit reports. It appears there was the possibility of more information being stolen than the cards. I had a credit card hit, followed by a debit card about two weeks later plus other indicators of problems I'm not able to elaborate on atm.

 

[Nick N]

I too had my credit card info stolen. Bought a Freakshow from MFS on 03/02/15, on 04/10/15 I saw a charge from GNC.com, who I have never done business with. Called the CC company, who got GNC on the phone. They said it was a CC purchase with my billing address but a different shipping address, they wouldn't tell me where though. Got a new card and my CC company refunded me the $69. Got the email from MFS on 04/22/15 about the website hack.

I am surprised how many people initially jumped on the OP blaming it on something else. [emoji17] I usually use Paypal when possible, and I know they are limiting purchases for vaping gear and supplies, so that was the only reason for using the CC.

 

[kartoffelfaust]

With identity theft and fraud becoming more common, it takes on a "blame the victim" mentality, even though the victim may have done nothing wrong.

Even worse, in your case, the privacy policy of these companies protect the thieves by not releasing shipping address information!