Credit Card Fraud - My Freedom Smokes?

Hi, Dustin here from MFS. Wanted to touch base to clear up a few things as much as possible.

Yes, unfortunately our site was attacked and a data breach did occur earlier this year. We have directly notified all customers that were possibly affected by the attack to let them know that their information may have been vulnerable.

Since then we have made several changes to improve security and secure our customers' data. One of the main steps we took was to hire an established and well respected security firm to handle our payment processing. As a result, our site is 100% Level 1 PCI Compliant and is more secure than 99.9% of websites online. For the more technical savvy I have included a bit more info below about how payment data is handled so that it is no longer stored or even really entered on the MFS website. I'm not an expert in this field, but I'll explain it the best I can.

1) During the payment phase of checkout the credit card number and CVV number fields are served using an iFrame from the security firm that handles our payment processing
2) Customer enters their sensitive payment info directly into the iframe and submits it directly to the security company (data is encrypted and therefore not vulnerable to cross site scripting)
3) Security company replies with tokenization value rather than full payment data to confirm valid data was received

Using this method customers are actually never inputting their payment data into the MFS site. It looks like you are submitting it to the MFS site, but because of the iframe the fields with the sensitive data are actually submitted directly to the security firms’ site where it is encrypted. Video about how it works can be found here: http://www.hostedpci.com/iframe-security/

Also, for those asking about payment info saved on their account so that they don't have to reenter it when placing another order, this info is not saved on the MFS site either. It is encrypted on the security company's server and therefore cannot be accessed by anyone if they were to attack our site again. What about their server you say? An attack on their server would be next to impossible and even then the data is encrypted, so it would essentially be useless.

We have constantly monitored our site intensely and we deeply investigate every inquiry regarding the possibility of subsequent breaches, but to date we have found zero evidence that any further info has been breached outside of the window earlier this year.

We certainly understand everyone's concerns regarding the safety of their information and think it is a good thing that many people are so hesitant. As painful as this experience was for us, it did serve to teach us a lot about the capabilities of the attackers and what can be done to prevent them. As a result, we are way more prepared and protected than most other sites you may visit and are more confident than ever that the sensitive info customers input on our site is safe and sound.

I appreciate you chiming in @DustinT I was never notified that my CC info was breached! and #2 It seems this is still happening to people that purchase from your site. A lot of people who are getting hit right now ordered late last year from your site (same time I did). Follow that FB post I put in the OP.




I got hit August 12th as well. I'm certain this is not a coincidence. We ordered from MFS around the same time, and we got fraudulent charges right around the same time.

Considering I've been hearing of these issues with this particular vendor for over a year now; and, this is the first tome I've seen them say anything-and its a passing of thru buck?
Lucifer, will be serving snow balls in the 8th circle of hell before I make another purchase there.

DustinT said:

Hi, Dustin here from MFS. Wanted to touch base to clear up a few.......

Click to expand...

Now, if you'd clear up that pricing issue. Just maybe....

Some prices doubling, from select to checkout.

PuffPuffPass said:

Now, if you'd clear up that pricing issue. Just maybe....

Some prices doubling, from select to checkout.

Click to expand...

Anyone purchase Rayon from Sally's last November? They got hacked by a Ukrainian group at the same time they installed malware on Target's checkout terminals

Robert B said:

View attachment 29371

View attachment 29372

Click to expand...

Yeh, that font problem too.

That would be great.

Sully said:

I appreciate you chiming in @DustinT I was never notified that my CC info was breached! and #2 It seems this is still happening to people that purchase from your site. A lot of people who are getting hit right now ordered late last year from your site (same time I did). Follow that FB post I put in the OP.

I got hit August 12th as well. I'm certain this is not a coincidence. We ordered from MFS around the same time, and we got fraudulent charges right around the same time.

Click to expand...

Thank you. I will look into this. Also, can you send me a pm or email with the email address you use to create your account on our site. I would like research as to why you were not notified.

PuffPuffPass said:

Now, if you'd clear up that pricing issue. Just maybe....

Some prices doubling, from select to checkout.

Click to expand...

Can you give me an example of a product that this is occurring with? I was aware we had some issues with pricing on our bundles, but that got straightened out the other day. Now, I'm wondering if the fix they put in place for that ended up affecting other products.

DustinT said:

Thank you. I will look into this. Also, can you send me a pm or email with the email address you use to create your account on our site. I would like research as to why you were not notified.



Can you give me an example of a product that this is occurring with? I was aware we had some issues with pricing on our bundles, but that got straightened out the other day. Now, I'm wondering if the fix they put in place for that ended up affecting other products.

Click to expand...

Pricing issue I noticed. 500ml of VG shows $4 on my end. At checkout. The price is $10 and some change. Then there's shipping.

Correcting here that may have been the 250ml bottle. I'll check again. To be sure

PuffPuffPass said:

Pricing issue I noticed. 500ml of VG shows $4 on my end. At checkout. The price is $10 and some change. Then there's shipping.

Correcting here that may have been the 250ml bottle. I'll check again. To be sure

Click to expand...

Oh okay, I see what you are looking at. In the dropdown box it is stating that the 500ml bottle is +$4.00 more in relation to the price of the currently selected option. If you choose the 500ml option you will see the price at the top of the page change from $6.95 to $10.95. If you were to go back and look at the options again at this point you would see the 250ml option with a -$4.00 next to it to indicate that it is $4 less than the price of the current option.

DustinT said:

Oh okay, I see what you are looking at. In the dropdown box it is stating that the 500ml bottle is +$4.00 more in relation to the price of the currently selected option. If you choose the 500ml option you will see the price at the top of the page change from $6.95 to $10.95. If you were to go back and look at the options again at this point you would see the 250ml option with a -$4.00 next to it to indicate that it is $4 less than the price of the current option.

Click to expand...

As a former business owner, Im just going to come straight out and say it.

That is the most F'd up pricing method I've seen in a long time. 99% of people THINK price. Not, how much math do I need to do today?

Best of luck to you.

PuffPuffPass said:

As a former business owner, Im just going to come straight out and say it.

That is the most F'd up pricing method I've seen in a long time. 99% of people THINK price. Not, how much math do I need to do today?

Best of luck to you.

Click to expand...

As a human who buys things I agree.

f1r3b1rd said:

As a human who buys things I agree.

Click to expand...

I know what he's thinking, but he's wrong.

And I have to question whether it's just poor rational, or deliberate. Because the majority of people do like me. The spin that selector wheel on their IPhone and make a selection, only glancing at the numbers. Without ever letting the price "update" on the page.

Which in this case, he admits there may be a +/- beside the number.

That drop down menu works fine on my computer and updates the main price when selecting options. Works fine on my Samsung Tab-S and Samsung S6 phone too. The computer shows a drop down menu, the Tab & phone pop up a window with buttons. Both update the main page properly.

Robert B said:

That drop down menu works fine on my computer and updates the main price when selecting options. Works fine on my Samsung Tab-S and Samsung S6 phone too. The computer shows a drop down menu, the Tab & phone pop up a window with buttons. Both update the main page properly.

Click to expand...

Works fine on mine too. But that's not the issue here.

Most people work with a common seperator when working with numbers. Usually -

But, others use something else. / | or even +.

While others (a majority) expect to see the actual price in a drop down menu. NOT, here you go, add this to what you see on the screen for your price.

Clearly, it has worked for him. Just like rebates have worked for the auto industry for 40+ years.

I've been online since the mid 90's. And this is the FIRST operator I've seen run a site like that.

Off my soapbox now, and back to work. It is what it is. And clearly it will remain that way.

PuffPuffPass said:

As a former business owner, Im just going to come straight out and say it.

That is the most F'd up pricing method I've seen in a long time. 99% of people THINK price. Not, how much math do I need to do today?

Best of luck to you.

Click to expand...

That is the way most juice sites do their pricing, nothing new and not like MFS is doing it different to all other vendors out there, you just select what size you want and the price updates, not rocket science

I'm still curious on how many times MFS security was breached if this has been going on for over a year

Nailz said:

That is the way most juice sites do their pricing, nothing new and not like MFS is doing it different to all other vendors out there, you just select what size you want and the price updates, not rocket science

Click to expand...

You're right, it's not. It's HTML & a few scripts.

They should add a Donate to web security ' option

Granted that I am beyond a wee bit paranoid, ( I see @Whiskey peeking through my bathroom window all the time) where is what I do when I want to place an online order.

I have a debit card that normally has a balance of $1.

When I need to place an order for ANYTHING online, I just stop short of hitting the button to place the order so I can see the exact amount needed for the transaction.

Then I transfer the funds needed for said transaction via my online banking interface to the debit card leaving a balance of $1 after the order is placed.

Idealy, I use PayPal so that along with the protection on my debit card I am doubly covered from credit card theft and scams.

Sure this takes a bit of effort but so far, so good and I have not had any issues yet!

I use a prepaid debit card for all of my online shopping. These days it just makes sense.

Sent from my HTC Desire 626s using Tapatalk

TheJohnG said:

I use a prepaid debit card for all of my online shopping. These days it just makes sense.

Sent from my HTC Desire 626s using Tapatalk

Click to expand...

I tried that, but 2 problems, one being it can take up to 7 days to transfer money from my bank, and also not all stores will let you use prepaid cards.

Now I use google wallet suggested by dre, transfer is instant, easy no hassle

Wow thanks for this thread guys! I have that site in my favorites/bookmarks. Perhaps we should inform Joe about this. MFS gets pimped alot with the blog site.

Sent from my SM-G900T using Tapatalk

CTFX said:

Wow thanks for this thread guys! I have that site in my favorites/bookmarks. Perhaps we should inform Joe about this. MFS gets pimped alot with the blog site.

Sent from my SM-G900T using Tapatalk

Click to expand...

I think that's the best post in the thread

Well then what happened with the

Robert B said:

That drop down menu works fine on my computer and updates the main price when selecting options. Works fine on my Samsung Tab-S and Samsung S6 phone too. The computer shows a drop down menu, the Tab & phone pop up a window with buttons. Both update the main page properly.

Click to expand...

Well then what happened with Whiskeys dummy order?

Wow, I ordered from then a week or so ago. Just logged on and deleted my CC info, thankfully I ordered with my PayPal Business debit card. PayPal don't play no games!!!!

Jimi said:

Well then what happened with Whiskeys dummy order?

Click to expand...

She didn't post a screen shot of what she ordered, but I'd guess it had to do with "Discount Applies to Max Quantity of 2 of each product".

It worked fine on my order.

This wouldn't apply to freedom mods as well would it? I know it's a different name but I did busses with them before and had a problem with being charged and not receiving my product. Just curious thanks.


Sent from my iPhone using Tapatalk

This is very interesting I will have to look up the dates but last January or so I got a charge on my card from Beachbody for some weight gain supplements. It was a 160ish dollars and when calling Beachbody they seemed shady as hell, and even though being the rightful card holder it was difficult to get information out of them. They did not want to reverse the charges claiming that the stuff had already been shipped to Ohio.

Ended up cancelling the card and got the money back from the bank, but I was only using that card for vape related purchases. MFS was one of them but so were a handful of other places. I just purchased from MFS on that last 40% off coil deal. So I will be watching that card for fraudulent activity.

Fictitious Character said:

This is very interesting I will have to look up the dates but last January or so I got a charge on my card from Beachbody for some weight gain supplements. It was a 160ish dollars and when calling Beachbody they seemed shady as hell, and even though being the rightful card holder it was difficult to get information out of them. They did not want to reverse the charges claiming that the stuff had already been shipped to Ohio.

Ended up cancelling the card and got the money back from the bank, but I was only using that card for vape related purchases. MFS was one of them but so were a handful of other places. I just purchased from MFS on that last 40% off coil deal. So I will be watching that card for fraudulent activity.

Click to expand...

You would be the 5th person that I know to have had that happen. From the same vendor..... Im not a rocket scientist or anything......
The first two I know had this happen back in June of last year, another friend of mine had it happen two months ago, then the op.
The vendor came here said there was a security breach hacked.....I guess Paul Blart does the security


I guess the sale on nicotine means the 40$ Nic will cost you a month of dealing with fraudulent charges plus the 40$ and a peptic ulcer.

5150sick said:

It is illegal for US vendors to use PayPal for vaping related items.
The ones on eBay are still there because they haven't got caught yet.
First time a customer complains and escalates that compliant the seller gets shut down.
I sold an Itaste VTR on eBay and they came 3 months AFTER the sale and took the feedback for the transaction away and gave me a warning.

Click to expand...

I am curious about this, when you say illegal do you mean it contravenes a PayPal rule, or is there a federal law that regulates this?

From my perspective, this vendor failing to fix their shit can only be interpeted as apathy, or complicity. Either way, they don't deserve to remain in business. This might be an opportunity for this forum to have an impact on these scam operators. Lets send them on their way and they can go back to flogging get rich quick schemes and time share condo opportunitys.

DustinT said:

Hi, Dustin here from MFS. Wanted to touch base to clear up a few things as much as possible.
Yes, unfortunately our site was attacked and a data breach did occur earlier this year. We have directly notified all customers that were possibly affected by the attack to let them know that their information may have been vulnerable.

Click to expand...

Hey Dustin. Who wrote the response for you? Seemed a little polished and contrite to me, so I cut and pasted a few lines and fed it to the 'ol search engine.

"We have constantly monitored our site intensely and we deeply investigate every inquiry regarding the possibility of subsequent breaches, but to date we have found zero evidence that any further info has been breached outside of the window earlier this year."

The first search result was: http://www.ibe.org.uk/userfiles/op_trustcasestudies.pdf


Obviously, you DID NOT "directly notified all customers that were possibly affected by the attack to let them know that their information may have been vulnerable."

I also went to your website. Not one mention of you getting "haxxed", or warning that your customers may be at risk. I even read through your blog. And who are you Dustin T? And why hasn't Chris Yelton responded?

"Based out of Charlotte, NC, Freedom Smokes, Inc. is the brainchild of founder Chris Yelton. A smoker himself, Yelton set out in 2008 to provide a cigarette alternative that would satisfy cravings with none of the harmful effects of the chemical-laden cigarettes that currently fill the market."

Chris Yelton. 52 years of age.



https://www.linkedin.com/pub/chris-yelton/25/808/100

And you managed to earn yourself an F Rating with the Better Business Bureau.

http://www.bbb.org/charlotte/business-reviews/e-cigarettes/freedom-smokes-in-charlotte-nc-272374

And if that wasn't enough, spamming. I opened an account, in which I did not subscribe to your "newsletter" and guess what came in the next email. (no confirmation needed by email to open an account)??

Screenshots at the bottom.


Half of the members in this forum were born at night. Unfortunatly for you, not last night.


Site info:

Domain Name: MYFREEDOMSMOKES.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2011-01-13 15:15:27
Creation Date: 2009-01-12 01:05:40
Registrar Expiration Date: 2014-01-12 01:05:40
Registrar: GoDaddy.com, LLC
Registrant Name: Chris Yelton
Registrant Organization: Freedom Smokes Inc.
Registrant Street: 8208 Lawyers Rd.
Registrant City: Charlotte
Registrant State/Province: North Carolina
Registrant Postal Code: 28227
Registrant Country: United States
Admin Name: Chris Yelton
Admin Organization:
Admin Street: 8208 Lawyers Rd.
Admin City: Charlotte
Admin State/Province: North Carolina
Admin Postal Code: 28227
Admin Country: United States
Admin Phone: +1.7042266808
Admin Fax:
Admin Email: [email protected]
Tech Name: Chris Yelton
Tech Organization:
Tech Street: 8208 Lawyers Rd.
Tech City: Charlotte
Tech State/Province: North Carolina
Tech Postal Code: 28227
Tech Country: United States
Tech Phone: +1.7042266808
Tech Fax:
Tech Email: [email protected]
Name Server: NS1.BIGCOMMERCE.COM
Name Server: NS2.BIGCOMMERCE.COM

Robert B said:

Paypal is accepting ecig vendors. They have to be pre-approved. They also accept tobacco vendors like JR Cigars

Click to expand...

Can you name a few?

I'll start: Totallywicked - They are based out of the UK so they are using a loophole to accept PayPal

I wish I never would of ordered from this company it caused lots of headaches for me!

f1r3b1rd said:

You would be the 5th person that I know to have had that happen. From the same vendor..... Im not a rocket scientist or anything......
The first two I know had this happen back in June of last year, another friend of mine had it happen two months ago, then the op.
The vendor came here said there was a security breach hacked.....I guess Paul Blart does the security


I guess the sale on nicotine means the 40$ Nic will cost you a month of dealing with fraudulent charges plus the 40$ and a peptic ulcer.

Click to expand...

At the time MFS was at the bottom of my suspect list because I had ordered from 1/2 a dozen or more smaller vape related places and was really suspecting a smaller shop in Jersey as the possible cause. But having ordered from MFS last week on that coil sale I noticed that they still had my card on file which I found unusual because I don't save credit card info with google and always uncheck the box when places ask to keep it on file.

I have went through and deleted the card info from my last purchase at MFS and will be keeping an eye on card activity for that card I just recently used at MFS.

Glad I came across this thread.

OneBadWolf said:

Hey Dustin. Who wrote the response for you? Seemed a little polished and contrite to me, so I cut and pasted a few lines and fed it to the 'ol search engine.

"We have constantly monitored our site intensely and we deeply investigate every inquiry regarding the possibility of subsequent breaches, but to date we have found zero evidence that any further info has been breached outside of the window earlier this year."

The first search result was: http://www.ibe.org.uk/userfiles/op_trustcasestudies.pdf

Obviously, you DID NOT "directly notified all customers that were possibly affected by the attack to let them know that their information may have been vulnerable."

I also went to your website. Not one mention of you getting "haxxed", or warning that your customers may be at risk. I even read through your blog. And who are you Dustin T? And why hasn't Chris Yelton responded?

Click to expand...

I personally wrote the response from scratch without referencing any other site or study. Any similarities you found to another piece of writing are merely coincidental.

The breach occurred between Feb 11th - Mar 16th of 2015 and since that time no further breach has occurred. Customers that placed an order within the time period of the breach were notified in accordance with their states unique consumer notification laws (via phone, mail, and/or email).

The vulnerability that the attackers took advantage of was a part of the core magento code that allowed for cross site scripting. Lots of Magento stores were breached around this same timeframe. Whether or not it was by the same attackers, we do not know for sure. What we do know is that the attackers did not immediately use the information that they had intercepted. They delayed in using the data that they had become privy too for over a month so that they could accumulate a significant mass of data before we had a chance to respond. They also seem to use batches of the data they stole in waves so as to not draw too much attention.

The silver lining is that we now have a deep understanding of what it truly takes to make our customer's data secure. Previously we took the word of the site developers and the fact that we consistently passed PCI compliance scans to mean that the data was secure, but that is just the mere tip of the iceburg. Because of this experience we are now more knowledgeable and more protected than 99.9% of the eCommerce sites on the web.

My full name is Dustin Taylor and I'm the Marketing Director here at MFS, but like many of us here I often wear many different hats. Here is a link to my LinkedIn profile if you are interested: www.linkedin.com/in/dustintaylormba

Chris Yelton is the owner and is no longer heavily involved in the day to day operations of the business.

BBB is almost worthless when it comes to determining what a company is like. No one ever goes there to post anything positive and even if the business responds to a complaint the customer can just not respond that the issue was resolved and the rating still goes down. Of the complaints I see listed there I think one is legit and the rest are customers that were upset that we wouldn't provide them with something for free when it was a mistake on their part.

As for the newsletter, I'm not sure about that one and I would be happy to look into it further if you would be willing to provide me with your email address. I do know that we essentially have two different email lists. One for automated emails regarding order info and one for our sales/promotional emails. I'm guessing that maybe you got added to the former and not the latter, but I would have to look into it further to be sure.

Thanks for coming out MFS to clarify things!

Sent from my SM-G900T using Tapatalk

CTFX said:

Thanks for coming out MFS to clarify things!

Sent from my SM-G900T using Tapatalk

Click to expand...

Not a problem.

Also wanted to say that I'm not here to try to promote our site from a marketing perspective. I know this experience has left a bad taste in the mouth of many customers that were affected by the breach. I can't say that I blame you as I would be upset as well. Obviously we would rather that it never happened, but unfortunately it did happen, and all we can do at this point is learn from it and become better because of it.

5150sick said:

Can you name a few?

I'll start: Totallywicked - They are based out of the UK so they are using a loophole to accept PayPal

Click to expand...

All the chinese companies do, but like the UK, paypal must have different rules for non-US companies. I've seen a few US vape businesses use paypal, but don't have the links to any right this second. But I will look and post them.

Paypal "Acceptable Use Policy" as of July 1st 2015

Nice response. A little like closing the barn door after the horses have eaten your children. Nonetheless, well written.


"The silver lining is that we now have a deep understanding of what it truly takes to make our customer's data secure. Previously we took the word of the site developers and the fact that we consistently passed PCI compliance scans to mean that the data was secure, but that is just the mere tip of the iceburg. Because of this experience we are now more knowledgeable and more protected than 99.9% of the eCommerce sites on the web"


So all it took was a few of your customers to experience the hell of credit card fraud to develop "a deep understanding of what it truly takes to make our customer's data secure." Glad it worked out for you. Silver lining? Your Customers mileage may differ..

"The breach occurred between Feb 11th - Mar 16th of 2015 and since that time no further breach has occurred. Customers that placed an order within the time period of the breach were notified in accordance with their states unique consumer notification laws (via phone, mail, and/or email)"


So, the Members here who have posted that they were not notified are lying? And what about the 3.3% of your customers who are from Canada?

Have you offered any of your affecterd customers free credit monitoring or other mitigation?


"The vulnerability that the attackers took advantage of was a part of the core magento code that allowed for cross site scripting."

You might want to audit for SQL injection exploits as well. Just saying,


As for the newsletter, I'm not sure about that one and I would be happy to look into it further if you would be willing to provide me with your email address.


Wow. That really renews confidence in your IT problem solving. Here's a radical blue sky idea! Try making a test account your self, and see what happens.


Marketing Directors gonna market. You get full points for spin. Not so much for contrition or sincerity. Your customers are not a resource to beta test and audit your security. Best practices being followed would have prevented the malware in the first place. You will NOT get my email address much less my personal or credit info.

Pick a hat.







.

Robert B said:

All the chinese companies do, but like the UK, paypal must have different rules for non-US companies. I've seen a few US vape businesses use paypal, but don't have the links to any right this second. But I will look and post them.

Click to expand...

So its not illegal, just a PayPal policy. Perhaps a petition from a large forum representing the Vaping community might alter their policy. If only there were such a forum....

Seems like Bitcoin would be the soloution.

Nice response. A little like closing the barn door after the horses have eaten your children. Nonetheless, well written.

Thank you....I guess

So all it took was a few of your customers to experience the hell of credit card fraud to develop "a deep understanding of what it truly takes to make our customer's data secure." Glad it worked out for you. Silver lining? Your Customers mileage may differ..

We are sincerely sorry for the inconvenience that we caused for our customers. Honestly, no site is ever 100% secure as technology is always evolving, but at the time, with the developers (third party that was an established business and trusted Magento partner that built and maintained the site for us) telling us it was secure and the scans for PCI compliance are telling us it is secure, we had no reason to think otherwise. As soon as we started hearing from customers we hired an outside security firm to find and fix the issue. That's also where the true learning process began. I'm not going to say that we are now certified security experts, but I can assure you that we know more than most companies in the eCommerce arena and that is a direct result of the experience we went through. That's all I was trying to say.

So, the Members here who have posted that they were not notified are lying?

I know for certain that we contacted everyone that was affected. Many man hours and many lawyers were involved to ensure that it was done properly. I can't research or verify anyone's claims without knowing their MFS account info, and no one has provided that info to me yet.

You might want to audit for SQL injection exploits as well. Just saying,

We regularly monitor for all kinds of code injection exploits as well as many other things. Sorry, can't be much more detailed than that so as to not give to much info about our security away here. However, even if someone were to inject code on our site now, they would not be able to steal any sensitive credit card data. That data is never entered on our site and not stored in our database.

Wow. That really renews confidence in your IT problem solving. Here's a radical blue sky idea! Try making a test account your self, and see what happens.

There are numerous places to enter your email on our site, not just when you create an account. Without knowing your email address I can't determine for certain that it wasn't entered somewhere else.

Marketing Directors gonna market. You get full points for spin. Not so much for contrition or sincerity. Your customers are not a resource to beta test and audit your security. Best practices being followed would have prevented the malware in the first place. You will NOT get my email address much less my personal or credit info.

My first response you labeled as contrite, but now I get no points for contrition? It's okay. I certainly understand your position and appreciate the feedback. I'm not trying to persuade you or anyone else into anything by providing this information, but I hope that this discourse has provided a little more insight to everyone and served to clear up some questions that I'm sure many more than just yourself wanted to know the answers to.

Pick a hat.

One hat is never enough
.

OneBadWolf said:

So its not illegal, just a PayPal policy. Perhaps a petition from a large forum representing the Vaping community might alter their policy. If only there were such a forum....

Seems like Bitcoin would be the soloution.

Click to expand...

They have had that policy since 2009
No vape forum in the world will change their policy because they elected the policy on their own when the FDA/CDC asked them to.
Even pulling in MILLIONS of dollars from vape related sales off of eBay hasn't caused them to change their policy.
There have been sellers who have gotten their accounts locked with thousands of dollars trapped inside.
If you sell vape gear using PayPal you will get caught.... eventually.

Not everybody wants to go through all the bullshit involved in setting up a bitcoin account and many non tech savy ex smokers would be screwed.
Some elderly ex smokers aren't good enough with the Internet to do what it takes to use bitcoin.
They are barely good enough to put the product in the cart and check out.

Wouldn't it be even easier if these vendors got their shit straight?
No other vendor in the history of vaping had this many people get fucked out of money after placing an order.

My suggestion would be: Read this thread, You have been warned.

After my buddy @f1r3b1rd sent me a link to this thread, the first post I read referenced Team Beach Body.
On 09/16 I had a $156.64 charge on my Credit Card from them and on 09/18 it was reimbursed without me even disputing it.
I didn't even know it was on there before it was reversed.
I rarely pay attention to such things, unless I run out of money. Perhaps I should audit the last few months of all of my accounts transactions.
And yes, I have bought from MFS several times, as recently as June 2015.
I believe breaches generally occur at the Credit Card Processor level, but I assume it can also occur at the merchant level.
The fact that this has gone on for almost a year does not bode well for them.
It is possible fraudulent transactions are still being processed from CC info hijacked a long time ago as opposed to multiple breaches. My last purchase was just over 3 months ago and the fraudulent transaction just occurred a few days ago.
I will give them the benefit of the doubt until I read all I can about what has transpired and do more due diligence, but I will not make any more purchases any time soon, if ever.

OneBadWolf said:

So its not illegal, just a PayPal policy. Perhaps a petition from a large forum representing the Vaping community might alter their policy. If only there were such a forum....

Seems like Bitcoin would be the soloution.

Click to expand...

This is correct. However, now that Paypal has split from eBay it seems that they may be relaxing this policy a bit. We are keeping an eye on it and hope to be offering paypal one day.

I'm a huge Bitcoin fan. I haven't been able to persuade everyone here just yet, but if I could show them that there would be a significant customer base that would use it that would definitely help.

Douglas H. Aiken said:

After my buddy @f1r3b1rd
It is possible fraudulent transactions are still being processed from CC info hijacked a long time ago as opposed to multiple breaches. My last purchase was just over 3 months ago and the fraudulent transaction just occurred a few days ago.

Click to expand...

This. They hold onto the info for a while and seem to use it in waves so as to not draw too much attention.

Also, I would highly recommend you have your bank issue you a new card if they haven't done so already. They caught this transaction and reversed it, but that also means that your card info is still no longer secure.

So of this happened to him in September and we now have a few people that have had these issues since 2014, yet you are saying the breach was from February through march of 2015.

Are the other occurrences unknown breaches? Coincides?

f1r3b1rd said:

So of this happened to him in September and we now have a few people that have had these issues since 2014, yet you are saying the breach was from February through march of 2015.

Are the other occurrences unknown breaches? Coincides?

Click to expand...

We have zero evidence of any data being breached outside of the dates I provided previously. I would be more than happy to look into their specific situations further, but would need for them to contact me directly so that I know what account to look into. Please do not post any info here. Best way to reach me is via email: [email protected]

And what about offering the credit monitoring? And Facebook censorship, and the customers from outside the US, Or the lack of any mention of this on your website that might have alerted any customers of yours that you "dilligent efforts" to notify failed?

Did you start a thread here to warn those potentialy affected? No. You just popped up after the fact when a forum member posted what was happening.

Spin is hardly a reliable indication of commitment to change, AFTER it has been brough out in the open by others.

Your response would have been appropiate, and well recieved if you had produced it BEFORE being called out on the matter.

You may or may not have as a company broken the law as far as protecting your customers data, but the days where you could just point the finger at the scary hax0rs is long past. You were entrusted with a thing of value by your customers. You failed to protect it.. Like a mechanic parking a customers car outside the shop, unlocked with the keys in it.

Malicious hackers who steal are like any other criminals. If they come across a basement with bars on the window, or a security system, they go next door to the easy pickings. You were the easy pickings.

Eliminating comments from your Facebook page, if that occured is inexcusable. I'm sure they still cover Business Ethics in any bona fide MBA syllabus these days.

Don't bother responding by saying you will look into it, or it wasn't your department, it will ring just as hollow as your other fails.

Any company can experience what yours has, that is true. How they deal with it openly, and proactivly defines them. Anything else is spin and damage control in my opinion.

Shame on you and your company.

f1r3b1rd said:

Considering I've been hearing of these issues with this particular vendor for over a year now; and, this is the first tome I've seen them say anything-and its a passing of thru buck?
Lucifer, will be serving snow balls in the 8th circle of hell before I make another purchase there.

Click to expand...

Don't Sugar Coat it man.
Tell us how you really feel.