Eye4Fraud Breach Exposes Data Of Millions Of Ecommerce Shoppers
UPDATE 3-17-23
Eye4Fraud has finally publicly acknowledged the breach in a statement posted on their website:
We recently experienced a cybersecurity incident where a backup file that related to certain customers and contained limited information was subject to unauthorized access. We moved to promptly retain cybersecurity experts and outside advisors to assist us in our response. We have notified and are cooperating with law enforcement authorities to investigate the incident.
We provide fraud protection services for ecommerce merchants, who provide us with limited information about transactions. We do not collect sensitive personal information about individuals like account passwords or full payment card numbers in the course of providing our services.
We are working to understand the situation, and our priority is to provide accurate information, including any additional updates as appropriate.
However, instead of doing the ethical and responsible thing by having a banner or other above the fold, prominent notice to users, Eye4Fraud has chosen to bury the link to this statement at the very bottom of the page in their footer....behind an ambiguous link that just says "Statement About Recent Event."
That's not nearly good enough and any serious company would know that. 👎
UPDATE 3-13-23
Eye4Fraud still has not responded to calls for responsible disclosure of this breach, but another impacted merchant has come forward and Abstract Ocean isn't pulling any punches.
Pete White
On March 6, 2023, Troy Hunt notified users of his website (HaveIBeenPwned) that Eye4Fraud ("E4F") experienced a data breach involving ~16M accounts.Abstract Ocean trialed Eye4Fraud's services between August 2019 and January 2020. E4F provides services that help protect against fraudulent orders (ignore the irony there) for eCommerce companies.
Unfortunately, they have so far failed to disclose any information about this breach. We have contacted them directly for information, but they have not been forthcoming to us, or anyone else for that matter (e.g. there is not even a mention of the breach on their website). What we know is based on information mostly provided by Troy on Twitter. We will update this page as we find out more.
Ecommerce fraud detection and prevention SaaS Eye4Fraud has reportedly experienced a massive undisclosed data breach, exposing over 16 Million emails and other customer data from ecommerce businesses who use their service.
New breach: Eye4Fraud had 16M unique email addresses and millions of orders posted to a hacking forum last month. Data is allegedly both users of the service and orders placed using Eye4Fraud for protection. 77% were already in @haveibeenpwned. More: https://t.co/UskfWSZKER
— Have I Been Pwned (@haveibeenpwned) March 6, 2023
Troy Hunt, creator of Have I Been Pwned, detailed his efforts to contact Eye4Fraud and encourage ethical disclosure of the breach - which so far Eye4Fraud has not done.
Disclosure is important because it affords the organisation an opportunity to properly communicate the incident. Let's count the ways this has been attempted either indirectly or directly starting with the first tweet I found: https://t.co/KFtPhMB46S
— Troy Hunt (@troyhunt) March 6, 2023
The third tweet is mine: https://t.co/6i4LOJKnd3
— Troy Hunt (@troyhunt) March 6, 2023
The fifth attempt is a direct email to the address that appears on every single one of their pages: pic.twitter.com/TzFy8qMe1Y
— Troy Hunt (@troyhunt) March 6, 2023
No reply to anything. Nada. Zilch. And their security.txt? It, uh, "doesn't conform to spec": https://t.co/EcRDIMWk38
— Troy Hunt (@troyhunt) March 6, 2023
As Hunt points out, this is a particularly important breach because many of the impacted users will have no idea their information was ever shared with Eye4Fraud.
When you shop on any ecommerce website, the company you purchase from may use third party software for any number of aspects of the shopping journey, including fraud detection - and that's exactly what Eye4Fraud is.
If you shop on any site that uses Eye4Fraud's service, your personal information will be shared with them as part of the fraud checking process and as the buyer, you likely aren't even aware.
Here's how it works, according to Eye4Fraud:
Every order, including phone orders, is put through our cutting-edge AI system. This system uses Persona™ and Dynamic Scoring™ technology to go deeply into your customer's profile and make sure everything is legit.
Some of the data that gets pulled into our system:
- Email address
- IP location
- Behavioral data
- Purchasing history
- Issuing bank data
- Public records
No red flags? Your order gets approved — within 2 minutes.
Hunt put together a full list of SiteName values and the number of customer records from each site that were allegedly exposed in the breach.
262588213843476
It shouldn’t take a CSV in a Gist read by victims of a data breach who then need to seek out contacts in other companies to try and report the incident and get traction. There are 16M people impacted here, have any of you managed to get any response whatsoever from Eye4Fraud? https://t.co/xvjZzYu9de
— Troy Hunt (@troyhunt) March 8, 2023
While Eye4Fraud has not yet disclosed the breach, curiously the top impacted site, LovelySkin, has now been removed from Eye4Fraud's customer page.
Just so you know, they wiped that screen grab from their site. I also have DM'd @LovelySkin and am awaiting 🤷♀️ a response. Aren't the sites involved required by law to notify us?
— Marsha Collier (@MarshaCollier) March 9, 2023
The direct URL for LovelySkin's customer page now redirects back to the Eye4Fraud homepage, but the Internet Archive shows what the page used to look like.
So far at least once merchant who used Eye4Fraud's services and is listed in the breach has notified their customers in a textbook example of how disclosure should be handled.
Dear ZYLtech.com Customers,
We are writing to inform you about a potential data breach incident that may have impacted your personal information.
We have recently learned that Eye4Fraud, our service provider for fraud detection and prevention services, has experienced a data breach that may have impacted our customers. The breach may have exposed personal information, such as your name, address, phone number, email address, payment type and last 4 digits of your credit card if used during ordering. We don't store your password so your password at ZYLtech.com is not affected by this incident. We strongly recommend you to be cautious of phishing emails and phone calls.
We have stopped our connection with Eye4fraud immediately after we learned of this breach. We apologize for any inconvenience or concern this may cause, and we want to assure you that we are doing everything in our power to address the situation and take action to enhance the protection of your information. We value your business and will keep you informed as we learn more.
Best-selling ecommerce author Marsha Collier shared the FTC's requirements for businesses to notify consumers of security breaches involving personal information.
"All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information" - @FTChttps://t.co/bpdTYHfCi3
— Marsha Collier (@MarshaCollier) March 9, 2023
Notify Appropriate Parties
When your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals.Determine your legal requirements. All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check state and federal laws or regulations for any specific requirements for your business.
Notify individuals. If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, consider:
- state laws
- the nature of the compromise
- the type of information taken
- the likelihood of misuse
- the potential damage if the information is misused
The Eye4Fraud breach is also being discussed on HackerNews:
And Reddit:
Have you been impacted by the Eye4Fraud data breach? Let us know in the comments below!
