Gyft Data Breach
Gift card retailer Gyft has announced that they were affected by a data breach that could mean information (including gift cards) from people’s accounts was compromised. They are sending out letters to people whose accounts may have been compromised. Here is how they explain it on the website they have setup followed by my thoughts and analysis:
Beginning on October 3 and continuing through December 18, 2015, an unknown party accessed without authorization two cloud providers used by Gyft. This unknown party was able to view or download certain Gyft user information stored with these cloud providers and make a file containing some of that user information.
What information was exposed?
The information potentially accessed from the cloud providers included names, addresses, dates of birth, phone numbers, email addresses, and gift card numbers. Gift card numbers could have been used to make unauthorized purchases. Not all users had all types of information compromised and some users did not have information exposed.
In addition, if you attempted to use Gyft between March 19 and December 4, 2015, your Gyft log-in credentials may have been compromised. An unauthorized party who acquired your credentials could have accessed your Gyft account and used any gift cards in your account with unused balances, or used available reward points or a Coinbase-enabled account to purchase additional gift cards.
Was my credit card information exposed?
No. Full credit card numbers are not visible in Gyft accounts and any credit card purchases require the three- or four -digit security code on the back or front of your credit card, which was not part of the information that may have been compromised, so credit card information was not compromised.
I log into my Gyft account through social media, is that account at risk of unauthorized access?
If you log into Gyft with your social media account (for example, through Facebook), your social media credentials were not exposed.
What is Gyft doing about this?
Shortly after discovering this issue, Gyft acted to prevent unauthorized access by forcing users whose passwords were potentially compromised to reset their passwords and logging out other affected users. Affected users who have not already done so will be forced to choose a new password the next time they log in. We also reset the Coinbase tokens for all affected customers. We are continuing to investigate the incident and will take all appropriate steps to protect Gyft customers.
Has the information been misused?
Fortunately, we have not discovered evidence that anyone used the information potentially compromised in this incident to access Gyft accounts or make unauthorized purchases.
How is Gyft notifying affected users?
Users who potentially had a gift card exposed and who had entered a shipping address during a Gyft purchase are being sent a letter at that address.
Users who potentially had a gift card exposed but for whom Gyft does not have a valid shipping address and users who may have had a password exposed (but not a gift card) are being notified via the email address associated with their Gyft account(s).
Why did I receive more than one notification?
You may have received multiple notifications if you have more than one Gyft account with information potentially exposed.
Who should I contact if I have questions?
Please call 866-287-0504 if you have additional questions. You may also contact us in writing at 150 W. Evelyn Avenue, Suite 300, Mountain View, CA 94041.
Is there anything I need to do?
We recommend that you change your password for any online account where you use the same password that you used for Gyft between March 19 and December 4, 2015. As discussed above, credit cards stored through Gyft were not affected by this incident. However, if you have a Coinbase account linked to your Gyft account, we recommend that you review any Coinbase transactions beginning in October 2015, because a linked Coinbase account could have been used to make purchases within your Gyft account. You should also monitor any gift cards that were in your Gyft account before January 8, 2016.
How do I reset my password?
If your account password may have been affected and you have not already reset your password, Gyft will provide instructions to reset your password the next time you attempt to log in on Gyft.com or the mobile app.
How do I know if my gift card has been used?
If you received a letter indicating that your gift cards may be at risk, the card numbers for cards added to your account before January 8, 2016 may have been exposed. Gyft does not track gift card usage. You will need to check the balance on each card separately with the relevant retailer.
Could someone use my Coinbase account as a result of this incident?
It is possible that an authorized party could have used the credentials exposed in this incident to log into an account enabled with Coinbase, and purchased gift cards using the Coinbase account. Gyft has not found any evidence that this has occurred. Both user credentials and Coinbase tokens have been reset since Gyft discovered this incident, so such account access is no longer possible.
Will the information exposed affect my credit?
The information potentially involved in this incident does not affect your credit.
My Thoughts & Best Practices
Both my wife and I received a letter in the mail stating that our accounts may have been compromised. Thankfully we don’t proactively purchase gift cards with Gyft, meaning we use the cards as soon as they are purchased. We also use PayPal as our payment method, so no credit card information is stored on Gyft’s servers. Our passwords have now been changed, so hopefully we are in the clear, but I definitely don’t like that our address and dates of birth may have been taken.
Even if you didn’t receive a letter from Gyft, it is probably a good idea to change your password in order to ensure your account is safe. It is disconcerting to see so many of these data breaches and even more so when it involves money and sensitive personal information. Hopefully Gyft gets their act together, but I am trying to remember to trust these companies less and less to do so. When it comes to gift cards specifically, purchase and spend. Don’t leave balances or you might get burned.