FabFitFun had a summer of security issues for its customers.
The popular subscription box, with a reported more than 1 million subscribers getting its quarterly packages of apparel, beauty and home products, had two breaches of customer data between May and August of this year, WWD has learned. The breaches include personal customer information like e-mails, names and addresses, as well as credit card and payment information. Even logins and emails of some using PayPal and ApplePay were compromised.
While the first breach, which occurred in May and was said to affect fewer than 1,000 customers, was disclosed to some shoppers and they were offered a $25 site credit, a more recent one discovered in early August seems to have taken longer for the company to disclose. Neither breach has been reported to the State of California, as is required for business breaches that affect more than 500 consumers, according to public data from the State Attorney General.
A company spokeswoman didn’t specify the number of customers affected, but did not refute source claims that it was likely in the thousands.
“We are confident that the issue has been resolved and will no longer affect transactions on our web site,” she said.
After this story was initially published, the spokeswoman allowed that the second breach has been reported to the FBI and that the company is “of course, in the process of filing a report to the CA Attorney General and other relevant regulatory agencies.”
As for the first breach in May, the spokeswoman said “We promptly made all impacted consumers aware, and while it did not rise to the threshold level for reporting to the California Attorney General, we did notify regulatory agencies in other jurisdictions as appropriate.”
In a Reddit forum on that initial data breach, dozens of FabFitFun users claimed they received no notification, even though they claim to have linked fraudulent activity on personal credit cards to information stolen from FabFitFun.
On Tuesday, another user in a separate and larger FabFitFun forum said they were just this week notified by the company of the second breach, which seems to have gone unnoticed from late May to early August. In the note, the company attributed the breach to “malicious code” inserted in its member sign-up page, and said “we believe” that only a subset of new sign-ups were affected by the breach. The company also said that it had reported the breach to law enforcement, but again, there is no notification on file with the State Attorney General of California, where FabFitFun is based.
Data breaches are not uncommon in retail, and business from StockX to Target have had to deal with them, but they can lead to consumer lawsuits and involvement by state lawmakers charged with consumer concerns.
In comments regarding the second breach, dozens of customers again claimed to have gone unnotified for weeks, allowing their information to be stolen and used. Users on the forum claim to have had fraudulent credit card and bank transactions and noticed fraudulent attempts to use their e-mails and names to sign up for new shopping accounts at other retailers. While those who received direct notification received another $25 site credit, many noted that they were canceling subscriptions after seeing a second data breach over roughly three months.
“As if I want to continue purchasing with them anymore,” one member of the forum wrote. “I understand that security breaches can happen with any company, but their general attitude is infuriating. Someone tried to order from my card four to five days ago, had FFF been more prompt with informing customers, this could’ve been totally avoided.”
In order to remove personal information from the site, users claim that they have to submit a separate request in addition to canceling a subscription, as FabFitFun is said to store all information, even for inactive accounts.
In a recent internal note said to be the first disclosure to staff of the breaches, cofounder and co-chief executive officer Michael Broukhim said that the company had required all customers and staff to reset their user passwords. He did not mention other remedies to the situation beyond “continuing to review and enhance security measures.”