From October 3rd till December 18th, 2015 an unknown party was able to access two cloud providers used by Gyft without authorization. This party was potentially able to view & download the following information:
- Names
- Contact information
- Dates of birth
- Gift card numbers
- Gyft log in details
- Coinbase accounts linked to Gyft could have been used to purchase more gift cards
Full credit card details were not able to be accessed. As soon as Gyft realized that this data breach occurred, they made users who potentially had their data compromised change their password and logged out affected users. If you attempted to log into Gyft between March 19th and December 4th your log in details may have been compromised (I’m unsure why this has a different date range). According to Krebs On Security (who first reported this issue in mid December of last year), this issue has affected a high single digit percentage of Gfyt users.
What You Should Do
- If you have a Coinbase account linked, make sure no unauthorized transactions were made between October and now
- Monitor any gift cards that were in your Gyft account before January 8th
- Change any logins that share information with your Gyft account (I recommend using a different e-mail/password combo for each website to avoid this issue).
I’m not sure why Gyft has taken so long to notify customers of this data breach when Krebs On Security was aware of it in mid December. The only started sending out press releases and mail outs to affected users on February 5th. More information about this breach and F.A.Q’s can be found here.
Both this data breach and the sudden and possibly unannounced ending of the Gyft Rewards program I think I’m done with Gyft. That 2% rewards when buying cards with paypal was a great motivator to me. What advantage do they offer me now unless I want to buy giftcards using bitcoins and I don’t want to get involved with virtual currencies.
I got a letter from Gyft yesterday. Fortunately, I used all my gift cards I purchased from them and changed my login information. Surprised it took this long for notifying us.
Were you aware of this DoC? I was also forced to change my password sometime in December I think, but it wasn’t clear why, they just didn’t allow me to login with my old one. Still haven’t received any communication from them. Luckily I only have one eBay gc in my account which is partially used and no credit card info with them.
I wasn’t aware of this until yesterday, I saw the Kerbs post on in hindsight. Not sure why they didn’t let consumers know earlier when he had let them know in mid December. I’ve added the Kerbs site to my feedly since he so often breaks these types of stories.
It makes you wonder if they did have some sort of reaction before they made this widely public, and then went into some sort of panic mode and went silent on this for 2 months. The fact that two commenters on just this post were prompted to change their password in the first half of December, without any reasoning why, and within days of the breach being reported to then
Lol… and Gyft wanted ‘me’ to verify all sorts of personal information prior to allowing me to buy a $50 gift card. Glad I told them to pound sand.
Looking through the history on my password management app, I was prompted to change my password by Gyft on 12/09/15. Hmm..
It’s Krebs, not Kerbs.
Fixed, I always say Kerbs for some reason.
For once I’m glad that once you use an eBay gc, it gets locked to a particular PayPal account. The only gc’s I have in my Gyft account that still have a remaining balance are ones I partially used on eBay already.