electronic_cigarette
https://ift.tt/eA8V8J
DirectVapor security breach https://ift.tt/39p0S90

Hey guys,

Just a heads up, I had my bank account cleaned out a couple days ago by someone using my full CC#, name and photo ID. Working backwards, and seeing that $300+ was spent at VaporFi, I realized the photo ID image they used for age verification was the exact image I had sent to DirectVapor about a year ago. YAY! :rollseyes:

DirectVapor is using a ridiculously outdated version of Magento on their backend. The version they're running is several years old and is vulnerable to a rather nifty SQLi exploit that allows attackers to dump all their database tables… which would include names, addresses, credit card info, photo IDs submitted for age verification, etc. I'm assuming they've at least been smart enough to store our account passwords in a hashed/salted format rather than plaintext but seeing how inept they are at simple tasks like updating their customer-facing shit… I'm starting to doubt that.

I'm working with the local law enforcement agency now where the stuff was shipped to pursue charges. Not much I can do about the Apple/Google/etc shit they bought (although my bank is handling that) but it's a start. Just… fuck this guy.

To be honest, between fucking me for over a year because something I ordered that showed "in stock" when I paid, but was actually on backorder (and stayed on backorder for over a year before they finally agreed to give me a refund)… I can't recommend their companies. Absolutely fucking ridiculous.

So seriously, if you've ever bought anything at DirectVapor/VaporFi or any of their affiliates, I'd highly recommend watching your shit. And FWIW, use something like privacy.com from here on out. It's not worth the headache.

Hey guys,Just a heads up, I had my bank account cleaned out a couple days ago by someone using my full CC#, name and photo ID. Working backwards, and seeing that $300+ was spent at VaporFi, I realized the photo ID image they used for age verification was the exact image I had sent to DirectVapor about a year ago. YAY! :rollseyes:DirectVapor is using a ridiculously outdated version of Magento on their backend. The version they’re running is several years old and is vulnerable to a rather nifty SQLi exploit that allows attackers to dump all their database tables… which would include names, addresses, credit card info, photo IDs submitted for age verification, etc. I’m assuming they’ve at least been smart enough to store our account passwords in a hashed/salted format rather than plaintext but seeing how inept they are at simple tasks like updating their customer-facing shit… I’m starting to doubt that.I’m working with the local law enforcement agency now where the stuff was shipped to pursue charges. Not much I can do about the Apple/Google/etc shit they bought (although my bank is handling that) but it’s a start. Just… fuck this guy.To be honest, between fucking me for over a year because something I ordered that showed “in stock” when I paid, but was actually on backorder (and stayed on backorder for over a year before they finally agreed to give me a refund)… I can’t recommend their companies. Absolutely fucking ridiculous.So seriously, if you’ve ever bought anything at DirectVapor/VaporFi or any of their affiliates, I’d highly recommend watching your shit. And FWIW, use something like privacy.com from here on out. It’s not worth the headache.

Submitted March 26, 2020 at 11:29PM by TheDocRaven
via reddit https://ift.tt/2R3WIgL}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s