Hacked! Unravelling a data breach

This is a story about paying a steep price for a pair of cheap socks.

The first loose thread in June

One Tuesday morning as I* was having my coffee and toast before kicking off the work day, I got a text from my credit card company alerting me to a suspected fraud charge. Of course I was alarmed and started looking into it right away. 

I messaged my husband: Are you getting any fraud charge alerts? Nope, just me. 

Soon after, I received an email order confirmation (then another and another) for electronic goods I didn’t purchase. The email receipt showed my home billing address, with a different shipping address, which happened to be the location of a hotel in my city. I found it odd and scary that someone local had my credit card number matched to my actual name, home address and email address. I imagined them holed up in a hotel room opening boxes of stolen goods and reselling them on Craigslist. But wouldn’t the thief realize I (and other victims) would get these email messages? 

Wait. Was someone using my email account?! 

Hoping it wasn’t too late, I sprang into action, quickly changing my email password and verifying that my account wasn’t logged into any unfamiliar devices. Everything seemed okay there. I wondered if it could have been a mashup of data breaches and scrapes that allowed a thief to merge the information into a more complete picture. The thought crossed my mind that a keylogger was installed on my computer. 

Meanwhile, my credit card company canceled my cards and set about issuing new ones. What had actually happened didn’t pinpoint me personally — and here’s what I was able to weave together.

Backstitch to May

Like most people on Instagram, I love to see friends’ pics and scroll through other fun visual content. I don’t mind ads for movies and shows (hello entertaining videos that fill my playlist) or for clothes and accessories (hello virtual window shopping.) One ad kept reappearing for custom print socks. So cute. I caved and ordered a pair of these socks for my husband for Father’s Day, featuring our kids’ faces. They arrived, as adorable as could be, and we all had a good laugh when he opened them. 

Life went on. Then something else happened.

A tangled knot in July

Apparently the would-be credit card thief had also used FedEx for shipping, and when my credit card was declined, FedEx reverted to billing the shipper, which was the thief posing as me with my real address.

When I received the first invoice in the mail from FedEx, I called my credit card company who  assured me that the charge had been flagged as fraud. The representative advised me to ignore the letter, and that FedEx knew the charge wasn’t mine. But the second letter from FedEx was clear they weren’t giving up on collecting the fee billed to my “account” even though the real me doesn’t have one. 

When I called FedEx and gave the case number listed on the letter, the representative started asking what I felt were increasingly privacy-invading questions (wouldn’t the case number be enough information?), and I was worried this was a phishing expedition. Eventually, after a few more phone calls I was able to get this resolved. I think. No more letters. Fees removed. Still, it was unnerving.

Knitting the threads together in September

The email subject line caught my attention: Security Incident Notification. The e-commerce host for the adorable sock company I ordered from in May had been compromised. They wrote that:

The hosting company, by their own admission, forgot to enable one of the most basic security features, and this security oversight allowed our business to be attacked by an unknown 3rd party using a malicious file, allowing them to access some payment information.

The hosting company’s failure in ensuring traditional security and data-protection measures allowed the unknown 3rd-party to skim the information as it was entered.

So it appears the alarms that went off in June were related to a purchase I made in May. I can’t be sure that my data isn’t still out there, but at least my credit card has been replaced. I did check my credit report recently to make sure there wasn’t any suspicious activity.

The takeaway

I can only assume that the fraudsters had a huge dump of data, and they figured they could get away with theft from some people who wouldn’t even notice the charges. If the credit card hadn’t flagged the fraud, they might have gone unnoticed by someone who doesn’t review their monthly bill. It’s mildly inconvenient to have credit cards reissued, and it can also create problems with automatic bill-pays and urgent needs. Taking care of the fallout took time and effort. I’m assuming this is over, but maybe it’s not.

* * * * *

Truthfully, it could have been much worse. We can’t predict the future, but we can be prepared in case our personal information is ever part of a data breach. Luke Crouch, a cybersecurity expert with Mozilla, recommends people do the following when faced with a data breach:

  1. Lock down your email accounts by updating your passwords and setting up 2-factor authentication.
  2. Get a password manager.
  3. Use Firefox Monitor to see if your email has been part of any other breaches.

The bottom line: If you get snagged in a data breach, tie up any loose threads quickly to protect yourself, and stay on top of monitoring your accounts for suspicious activity.

*Ed note: This person’s name has been removed to protect their privacy.

At Mozilla, we work towards creating a safe and joyful Internet experience every day. That’s why this year for Cyber Security Awareness month, we’ll be featuring privacy and security experts as they weigh in on personal stories of cybercrime and more. Check back each week in October for a new story and expert advice on how to protect yourself online. In the meantime, kick start your own cyber security journey with products designed to keep you safe online including: Mozilla VPN to Firefox Monitor and Firefox Relay.

Share on Twitter

See if you’ve been part of an online data breach.

Check your email address