Will Run For Miles

Combining Travel Fitness and Running

UPDATE: BigCrumbs Confirms Fraudulent Activity and Unauthorized Access to Accounts

By Leave a Comment

This page may contain affiliate links from our advertising partners for which we many receive compensation. This may impact how and where products appear on this site. This site does not review or include all companies or all available products. We are thankful when you support this site by using our links.

Yesterday, the BigCrumbs Website was down.  The message reported that the site was down in order to investigate possible fraudulent activity.  Today, the Website says this:

BigCrumbs.com is currently offline while we continue to investigate possible fraudulent activity.

UPDATE – 1/29/2015 – 11:05AM EST

Dear Valued Members,

We have determined that there has been unauthorized access to a number of member accounts. The number of confirmed affected accounts as of this writing is under 200. This number may increase as we continue to investigate.

It is important to note that this does not appear to be a site-wide breach of the type popularized in news reports. Rather, it appears to be the compromise of a limited number of accounts that utilized common or overly-simple passwords, or otherwise re-used credentials from a different site that was previously breached.

Additional Information:

  1. There is no evidence that our servers or databases were compromised or penetrated. We continue to research this with our hosting provider.
  2. There is strong evidence that the means of unauthorized access were enabled via:
    • The attacker(s) taking advantage of the use of weak or common account passwords (including accounts for which the passwords were the same as the User IDs)
    • The attacker(s) utilizing user account credentials gained from breaches of other sites, wherein members used those same User ID/password combinations at BigCrumbs. Such credentials are widely sold/shared by potential attackers.
  3. The attack appears to have started on January 18, 2015, but possibly as early as December, 2014.
  4. Unauthorized access may have potentially revealed such member information as first and last name, e-mail address, postal address, and cash back history.

It is extremely important to avoid the use of common or overly simple passwords, as well as to avoid the reuse of account credentials at multiple sites.

What we are doing:

While we are still investigating and working to identify affected member accounts, we are also in the process of reaching out to those known to be affected, as well as our members in general.

As a precaution, the BigCrumbs.com site will remain offline until we’ve put into place several security measures, including:

  1. All members will need to reset their passwords upon their next sign-in attempt after the site is restored.
  2. Password requirements will become more stringent.
  3. BigCrumbs will not be able to pay members who have not reset their passwords. In some cases, additional verification may be required.

BigCrumbs’s next scheduled payday is February 2, 2015 (because January 31st falls on a weekend). We are working to avoid delays in payment or any additional service interruption, however, securing affected accounts ahead of issuing payments is our priority. As such, there may be delays in this period’s payments for the first time in BigCrumbs history.

We will update here with any additional details as they become available.

We apologize for any inconvenience to our valued members that this unfortunate incident may have caused.

Sincerely,

Vince Martin
CEO
BigCrumbs.com

Page loaded January 29, 2015 – 12:09:48 EST

 

Thus, according to this message:
1. Some accounts were accessed, and such access occurred to accounts with weak passwords, or accounts where credentials were gained from other websites.
2. Attack began January 18, 2015, but maybe a month earlier.
3. No evidence that the servers or databases of BigCrumbs were hacked.
4. The website remains down, but when it is brought back up, everyone will have to create new passwords.

Stay tuned.  I’m sure that there will be more!

Editorial Note: The editorial content on this page is not provided by any of the companies mentioned, and has not been reviewed, approved or otherwise endorsed by any of these entities. Opinions expressed here are author's alone.

Responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Will Run For Miles

Will Run For MilesA New York frequent flyer who elegantly combines her passions for worldwide travel, running a gazillion marathons all over the globe and staying fit ... without sacrificing her fancy for good wine and food.

Recent Posts

Pin It on Pinterest