Yesterday, the BigCrumbs Website was down. The message reported that the site was down in order to investigate possible fraudulent activity. Today, the Website says this:
BigCrumbs.com is currently offline while we continue to investigate possible fraudulent activity.
UPDATE – 1/29/2015 – 11:05AM EST
Dear Valued Members,
We have determined that there has been unauthorized access to a number of member accounts. The number of confirmed affected accounts as of this writing is under 200. This number may increase as we continue to investigate.
It is important to note that this does not appear to be a site-wide breach of the type popularized in news reports. Rather, it appears to be the compromise of a limited number of accounts that utilized common or overly-simple passwords, or otherwise re-used credentials from a different site that was previously breached.
- There is no evidence that our servers or databases were compromised or penetrated. We continue to research this with our hosting provider.
- There is strong evidence that the means of unauthorized access were enabled via:
- The attacker(s) taking advantage of the use of weak or common account passwords (including accounts for which the passwords were the same as the User IDs)
- The attacker(s) utilizing user account credentials gained from breaches of other sites, wherein members used those same User ID/password combinations at BigCrumbs. Such credentials are widely sold/shared by potential attackers.
- The attack appears to have started on January 18, 2015, but possibly as early as December, 2014.
- Unauthorized access may have potentially revealed such member information as first and last name, e-mail address, postal address, and cash back history.
It is extremely important to avoid the use of common or overly simple passwords, as well as to avoid the reuse of account credentials at multiple sites.
What we are doing:
While we are still investigating and working to identify affected member accounts, we are also in the process of reaching out to those known to be affected, as well as our members in general.
As a precaution, the BigCrumbs.com site will remain offline until we’ve put into place several security measures, including:
- All members will need to reset their passwords upon their next sign-in attempt after the site is restored.
- Password requirements will become more stringent.
- BigCrumbs will not be able to pay members who have not reset their passwords. In some cases, additional verification may be required.
BigCrumbs’s next scheduled payday is February 2, 2015 (because January 31st falls on a weekend). We are working to avoid delays in payment or any additional service interruption, however, securing affected accounts ahead of issuing payments is our priority. As such, there may be delays in this period’s payments for the first time in BigCrumbs history.
We will update here with any additional details as they become available.
We apologize for any inconvenience to our valued members that this unfortunate incident may have caused.
Page loaded January 29, 2015 – 12:09:48 EST
Stay tuned. I’m sure that there will be more!