Operators of the popular cash-back shopping service BigCrumbs took the site offline after discovering some members’ accounts had been compromised.
BigCrumbs.com CEO Vince Martin said an unknown party gained unauthorized access to a number of member accounts, but it was not a breach or hack of BigCrumbs. That’s an important distinction, said Martin.
“The evidence strongly suggests that the attacker used credentials gained in breaches of other sites, where users who’d been compromised on those sites had re-used the same credentials at BigCrumbs.”
He said there was also some evidence to suggest the attacker exploited weak and commonly used passwords. BigCrumbs has confirmed unauthorized accesses numbered less than 200, but the actual number could be higher.
Martin also said no credit cards were compromised because the site does not collect credit card information. “Notably, it’s very possible and, perhaps, likely that the attacker already had access to the member’s contact information, given the mode of access.”
BigCrumbs took the site offline “out of an abundance of caution” while it performed analysis on the situation. “We then decided we needed to keep it down while we implemented the additional security measures indicated (e.g. new password requirements, etc.),” Martin said. “Finally, we decided to keep the site offline even longer as we saw an opportunity to make other changes to enhance our program and position us for future offerings. We’re setting an ETA for the site’s return at 1 – 2 weeks.”
Upon return of the website, all members will be required to reset their passwords, which will need to conform to stricter complexity standards.
“Thankfully, I believe a lot of the potential for additional damage was mitigated by our fairly quick realization of what was happening,” Martin said.