FYI – FabFitFun Security Issue

No one is surprised here. people who canceled a year ago still had access to the forum and sales because they were too dumb to lock their sites down. They are hemorrhaging money with all the credit and botched orders.

I hear the class-action lawsuit following lol

I have a new Annual subscription with them. Just waited through 66 people in line for live chat. Looks like a lot of people are talking with FFF.

I was able to cancel my Annual subscription for a refund.

I have decided as of today that NO internet purchasing transactions are secure, but FFF is less so than most.

I read this notice on the top of their home page that says their workers are working from home. I wonder if that played a part?

This is not worth the hassle of worrying from now on for anything. Because I have many direct deposits, I can’t easily change bank account numbers in the time of COVID-19.

I’m really concerned about my CC number being ” out there”. I know many others of you and people who don’t post here are as well. They have ( or had) millions of customers.

Good luck to all of us, and thank you for the links about removing my info from sites. I have no clue how many sites have my ( still new) card info right now. I’m going to indulge in a few CBD gummies, put my Tempurpedic on massage, and listen to some David Lanz music through my Echo while it rains this afternoon.

Things will get better. I am comforted that my bank account is less than 60 days old. Thanks to a relatively cheap sub for taking money out of my old card when I’d cancelled them 2 years ago or more.
I probably had 60-80 subs with the old card number on file.

I also want to say that I am not sure if FFF can survive this. I am sorry for them, but only a tiny bit.
Amanda

So…they knew back in June that they were hacked. It was posted on their community board. They wouldn’t address the question! Now they are suddenly saying it happened again?! Who monitors these companies? Why are they allowed to run a business like this? If you are looking to join FFF…run, fast and long. Don’t look back! That company is a nightmare.

Yeah, I got screwed over because of this. I bought a close girlfriend a box when she was going through a tough time and signed up on a new email address under her name. A few weeks later I was pleasantly surprised to find a $3k charge on my credit card for some construction project with a construction company based out of california under my friends name. The only time I used that credit card, email address, and my friends name was to make this purchase. Luckily my bank is rad and dropped the charge. I notified fff, got a generic email, and an extra fall box. Total bummer, I don’t feel secure at all with them having my payment information anymore after having to cancel my credit cards.

If you believe their story please check Fabfitfun reddit, they were warned they had a breach and denied it. I’m very disappointed in their statement because a customer or more made them aware of the first breach they did nothing and let a second happen. I pay for a service with them I expect them to at least keep my information secure.

The site has been problematic for a week or two, their social media is full of paying members locked out of their accounts. Then forced password reset just has accounts in an endless loop of resetting password and no access. Mine has been this way for over a week.

I’ve been advised that technical support is working on this but if it’s not resolved soon I’ll be filing a chargeback. An annual membership you can’t sign into is totally useless for me.

One idea is to change the billing information to a visa/MasterCard/AE gift card, that way they can never charge you more than you want. You can settle any payments with customer service, whom might not keep the debit card info attached to your main account. Your order will just say “past due” until you settle the charge with them. Or until you load the gift card with more money. I like it because if I wake up the next day after a sale and regret what I bought, you can remove things or can el your order entirely. They like to say “all sales are final” but don’t explain that a sale is not final until money is exchanged in full from your method of payment. Until then, it can be changed. They also like to pull stunts where they charge me the wrong amount and other predatory business behaviors. It would be useful as well in case you’re afraid of forgetting to cancel a starter box or account or when a sale ends. Everyone, please red up on the Terms of Use that they hide at the bottom of the homepage and familiarize yourself with FTC rules that apply to only purchases and billed good you didn’t receive or that weren’t sent within the promised timeline or that weren’t refunded etc…etc… because FabFitFun has been having ALOT of issues that fail to meet FTC guidelines. They count on us all being uninformed consumers and not knowing our rights.

I got the email that I am the unlucky few who has had their information stolen. It’s actually really irritating becuase I was already apart of a breach that happened with their shop a few months ago. Within two days I had fraud on my credit card. So I think it’s a very bad sign that they’re making EVERYONE change their password. This is monthsssssss after the first breach so clearly they did nothing to improve security. That’s really upsetting. It’s annoying that I’m having to go through this again and it’s my first experience with a subscription box from when I first subscribed. I’ve been loving the box but idk If I can keep putting up with this. It’s scary.

I subscribe to fabfitfun on and off depending on whether I like the box. Right now my subscription is canceled. I received an email and changed my password. Data breaches can happen anywhere and it is unfair to blame the company for it – its just the world we live in. Also, companies will always keep your info on file incase you decide to make another purchase with them in the future or resubscribe. Also to deter people from constantly subbing and unsubbing just to use coupons. I think thats fair for them to do so. But there should definitely be an option to remove your credit card on file even though its all out there in the cloud.

I received notification that I needed to change my password. However, they didn’t send any information about free credit nor credit monitoring. I’m confirming this right now with an email to customer service. As for the “small number” affected, it won’t be small. Those of us who understand IT security know that they got a huge chunk of accounts.

I havent been signed up in a while, but I’m going topmost this on my page and warn others who didnt get an email. I also cancelled my credit card….

Just FYI, canceling your account isn’t going to help. Companies keep your information forever. It’s in their server somewhere – and even when they decommission the server, they often fail to fully wipe it. I recently received notification from an investment company that I ceased to do business with in 2014 saying that my information might have been compromised.

so… I happened to call them today because of another charge on my cc statement from them for $54.86 on 8/27 and the lady said it was on my old account from my old email I had used and canceled with them years ago , well at first the lady was like since it’s already shipped to their warehouse she could just give me a discount, I said no I already got a fall box i don’t want another one ! I want a refund and this subscription canceled again !! She then said it would be refunded and canceled. And then I get this email to change my password , well that explains it I guess !! Idk 😐

This makes me so mad. They had an issue before so I used a specific new sub email account to renew with FFF and later, a couple months ago it got email subscription bombed and my credit card charged to some place in Germany. I had to completely delete that email account and get a new card. I reported it to FFF that the was the only combination of that email and that card I used since I normally use PayPal or some digital wallet service, so it had to be a data breach with their site and they said nothing happened and there nothing to worry about.

I havent been signed up in a while, but they have not emailed me.at all. I tried to sign into my old account and I found that I’m locked out

I m also getting a lot of emails. I canceled a few times yet each time my information was never deleted fully.

I just spoke with FabFitFun after canceling my membership. My annual ended with the fall box so I was going to cancel anyway. I asked about the account being compromised because I’ve had mine since last fall and I still received the email and the dates above are saying it should only be for new members from this year. The representative said that they sent the email to everyone and those who were affected received a second email about how they were compromised. I also requested for them to delete my credit card information on there system which she said she would submit a request to have it done and I should receive confirmation of it. I guess I’ll keep Margot Elena at least until the price changes in spring of next year and continue to shop Boxycharm add-ons with my premium for good deals.

I think it’s kind of strange that I have to pick whether I want to add the credit to the winter add-on or winter edit sale… how am I supposed to know? I have to go through credit monitoring and change my passwords… can’t I just have a $25 credit on my account?

All my past accounts with FFF are canceled, some were opened and closed years ago, and yet they sent this email to *all* my email accounts today.

So it’s not just about breaches *this year*. CYA, I guess. Or just the typical FFF tactic to send you emails all the time just to remind you that they exist. Not impressed with them either way.

This is not transparency — they don’t mention what information was leaked. This is poor backend security and a bandaid doesn’t fix for those who are affected. I

Is there a way to have them to remove my account completely? I canceled my subscription after winter but they still retained all my info (and keep spamming me).

When you cancel they don’t remove your info (ie it’s really jist dormant). I cancelled my account back in January but received the email and updated my password. Can’t seem to remove my credit card info from my account profile on their website though. Have asked them to remove it for me.

Is there a way to have them to remove my account completely? I canceled my subscription after winter but they still retained all my info (and keep spamming me).

The identity monitoring service they’re using is only for us citizens. Thanks for nothing fabfit fun!