On March 6, 2023, Troy Hunt notified users of his website (HaveIBeenPwned) that Eye4Fraud ("E4F") experienced a data breach involving ~16M accounts.
Abstract Ocean trialed Eye4Fraud's services between August 2019 and January 2020. E4F provides services that help protect against fraudulent orders (ignore the irony there) for eCommerce companies.
Unfortunately, they have so far failed to disclose any information about this breach. We have contacted them directly for information, but they have not been forthcoming to us, or anyone else for that matter (e.g. there is not even a mention of the breach on their website). What we know is based on information mostly provided by Troy on Twitter. We will update this page as we find out more.
[March 14]
Eye4Fraud has (finally!) posted a public statement that says not much of anything, but does confirm that they do not collect sensitive personal information about individuals like account passwords or full payment card numbers.
[March 13]
Today we have sent notifications to our customers that we believe might be impacted. Out of an abundance of caution, and the continuing lack of any communication from E4F, we widened the window to the end of January 2020; whilst it is likely we've included some customers that were not impacted, it's safer to be over-cautious.
We have again sent a request to E4F, reminding them of their obligations under Art. 33 of GDPR.
[March 9]
Still nothing from Eye4Fraud, either publicly or in direct response to our enquires. They have started to remove customer testimonials from their site, so they clearly know, but still no formal disclosure that we can act on. As a reminder, we terminated our relationship with Eye4Fraud in December 2019, any orders place after that date would not be impacted, and we believe orders placed prior to August 2019 are also not impacted but cannot be sure until Eye4Fraud disclose more details.
[Added March 8, 2023]
If you placed an order with us between August 2019 and January 2020, then it may have been screened by Eye4Fraud. If so, the following data might have been disclosed in the breach:
- Payment method (card type)
- last 4 digits of the card used
- Personal information (Name, phone number, email address)
Until we have more information from Eye4Fraud, it's difficult to provide additional guidance or information. The 'good' news, relatively speaking, is that the data involved in the breach appears to be at least three years old, and the card data was only the last four digits, so the risk of fraudulent charges on your payment card, if still valid, appears to be low. Since Eye4Fraud does not provide services directly to consumer, no customer passwords were leaked. But, as always, be wary of phishing emails or phone calls.
