March 6, 2019 - WEBSITE BREACH
We have become aware of a breach of data related to our customer database from memberreportaccess.com. We were notified of this data breach on March 4, 2019 by a media organization. The data breach consisted of a criminal posting an auction on the DarkWeb to sell “administrative access” to the customer database. This administrative access was not a file of information but purported to be access to individual consumer accounts in a customer administration portal using login credentials. We have no indication at this point in our investigation that the database was breached by anyone other than the person posting the auction. The criminal posted three screenshots that included the name, email address and password used for memberreportaccess.com for 37 accounts in the database. We have contacted of those customers whose information was available on the DarkWeb to notify them of the breach. Also, the breach appears to have been limited to the 37 accounts mentioned previously based on our initial investigation. We have refunded those customers the full purchase price of their transactions with us.
Please note that the database which was breached DOES NOT store full credit card numbers or other financial data. It only stores the last 4 digits of a credit card and
Immediately after being made aware of the breach we took the following steps to minimize the effects of the breach:
- Secured the database by resetting all passwords for administrative access.
- Blocked IP addresses from accessing the database unless they were “whitelisted” as known company IP addresses.
- Initiated an internal forensic investigation of the breach to attempt to identify the responsible party(ies).
- Obtained traffic logs and other auditing information from the database hosting server to assist in identifying possible suspects.
- Our initial investigation revealed a website that was readily available to the public which contained a screenshot of one of the posted images of the data breach. We immediately reached out to the website and the image was removed.
- Reported the breach to local and federal law enforcement agencies.
These actions have substantially decreased the ability of anyone who is not authorized to access our database.
Our investigation is in its early stages and is ongoing. We will provide updates on this page as they become available. At this time, we have not been made aware of any malicious activity on any accounts by customers. If you are a customer and have been affected by this breach please contact us to provide additional information.
We recommend users take the following actions to help minimize any adverse effects of this breach and to secure your online accounts:
- Change your password to any account which uses your email address for a login.
- Change your password to your email account.
- Change your username to any accounts which may have been compromised.
Status Update March 7, 2019
We continue to investigate the data breach which was reported on March 6, 2019. We are monitoring access to the administrative portal and have detected no access breaches. At this time no customers have alerted us to any breaches related to their user logins and passwords. We have deactivated the 37 affected accounts after contacting each customer and fully refunded all their purchases with us. We have also provided complimentary identity theft protection for 1 year to those affected customers whose user name and passwords were shown on the dark web.
As additional information becomes available we will continue to provide updates. Should you have any questions or concerns please contact customer service at 1-855-803-3397 or by email, live chat or text.
Status Update March 18, 2019
We continue to investigate the recent data breach on our site. As a result of this ongoing investigation we have identified five additional accounts that may have been improperly accessed prior to our knowledge of the breach. We have contacted each of these account holders and refunded their charges. In an abundance of caution we have also provided them with a one-year complimentary credit and identity monitoring subscription. There have been no breaches or any suspicious activity in our systems since we implemented the safeguards reported above. We will continue to update this information as we learn more.
Status Update April 5, 2019
We continue to monitor our networks for any anomalies. We have detected no security breaches or unauthorized access since implementing additional security measures to secure the site. Our investigation is continuing and the incident was reported to the Internet Cyber Crime Center. We will continue to update you as additional information becomes available.
For additional information on how to protect yourself from online crimes please visit https://www.identitytheft.gov/databreach.