FabFitFun Sees Consecutive Data Breaches Affect Hundreds of Customers

Kali Hays

September 16, 2020 at 3:38 PM·4 min read

FabFitFun had a summer of security issues for its customers.

The popular subscription box, with a reported more than 1 million subscribers getting its quarterly packages of apparel, beauty and home products, had two breaches of customer data between May and August of this year, WWD has learned. The breaches include personal customer information like e-mails, names and addresses, as well as credit card and payment information. Even logins and emails of some using PayPal and ApplePay were compromised.

While the first breach, which occurred in May and was said to affect fewer than 1,000 customers, was disclosed to some shoppers and they were offered a $25 site credit, a more recent one discovered in early August seems to have taken longer for the company to disclose. Neither breach has been reported to the State of California, as is required for business breaches that affect more than 500 consumers, according to public data from the State Attorney General.

A company spokeswoman didn’t specify the number of customers affected, but did not refute source claims that it was likely in the thousands.

“We are confident that the issue has been resolved and will no longer affect transactions on our web site,” she said.

After this story was initially published, the spokeswoman allowed that the second breach has been reported to the FBI and that the company is “of course, in the process of filing a report to the CA Attorney General and other relevant regulatory agencies.”

As for the first breach in May, the spokeswoman said “We promptly made all impacted consumers aware, and while it did not rise to the threshold level for reporting to the California Attorney General, we did notify regulatory agencies in other jurisdictions as appropriate.”

In a Reddit forum on that initial data breach, dozens of FabFitFun users claimed they received no notification, even though they claim to have linked fraudulent activity on personal credit cards to information stolen from FabFitFun.

On Tuesday, another user in a separate and larger FabFitFun forum said they were just this week notified by the company of the second breach, which seems to have gone unnoticed from late May to early August. In the note, the company attributed the breach to “malicious code” inserted in its member sign-up page, and said “we believe” that only a subset of new sign-ups were affected by the breach. The company also said that it had reported the breach to law enforcement, but again, there is no notification on file with the State Attorney General of California, where FabFitFun is based.

Data breaches are not uncommon in retail, and business from StockX to Target have had to deal with them, but they can lead to consumer lawsuits and involvement by state lawmakers charged with consumer concerns.

In comments regarding the second breach, dozens of customers again claimed to have gone unnotified for weeks, allowing their information to be stolen and used. Users on the forum claim to have had fraudulent credit card and bank transactions and noticed fraudulent attempts to use their e-mails and names to sign up for new shopping accounts at other retailers. While those who received direct notification received another $25 site credit, many noted that they were canceling subscriptions after seeing a second data breach over roughly three months.

“As if I want to continue purchasing with them anymore,” one member of the forum wrote. “I understand that security breaches can happen with any company, but their general attitude is infuriating. Someone tried to order from my card four to five days ago, had FFF been more prompt with informing customers, this could’ve been totally avoided.”

In order to remove personal information from the site, users claim that they have to submit a separate request in addition to canceling a subscription, as FabFitFun is said to store all information, even for inactive accounts.

In a recent internal note said to be the first disclosure to staff of the breaches, cofounder and co-chief executive officer Michael Broukhim said that the company had required all customers and staff to reset their user passwords. He did not mention other remedies to the situation beyond “continuing to review and enhance security measures.”

Yahoo Sports
NBA Draft Lottery: Hawks get No. 1 pick, despite 3 percent chance of winning
The Atlanta Hawks won the No. 1 overall selection in the NBA Draft Lottery. The Hawks had a 3 percent chance of winning the top pick.
Yahoo Sports
2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set
With the lottery order set, here's a look at Yahoo Sports' projections for both rounds of the 2024 NBA Draft.
Yahoo Sports
Former MLB infielder, Little League World Series star Sean Burroughs dies at 43
The seven-year major leaguer collapsed while coaching his son's Little League game on Thursday.
Yahoo Sports
The best RBs for 2024 fantasy football, according to our experts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Yahoo Finance
Here's 1 big investing mistake you are probably still making
Maybe a 5% CD isn't the best choice for your hard-earned money.
Yahoo Finance
How rich homebuyers are avoiding high mortgage rates
Homebuyers with means are turning to an old strategy to get around a new crop of high mortgage rates: all-cash deals.
Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Sports
Fantasy Baseball Waiver Wire: A hitter who should be rostered in every league is available in more than half of them
Prep for the final days of Week 6 with Dalton Del Don's latest batch of fantasy baseball waiver wire pickups!

News

Life

Entertainment

Finance

Sports

New on Yahoo

FabFitFun Sees Consecutive Data Breaches Affect Hundreds of Customers

Recommended Stories

NBA Draft Lottery: Hawks get No. 1 pick, despite 3 percent chance of winning

2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set

Former MLB infielder, Little League World Series star Sean Burroughs dies at 43

The best RBs for 2024 fantasy football, according to our experts

Here's 1 big investing mistake you are probably still making

How rich homebuyers are avoiding high mortgage rates

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

The FDIC change that leaves wealthy bank depositors with less protection

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Fantasy Baseball Waiver Wire: A hitter who should be rostered in every league is available in more than half of them