Possible data breach at Nicotine River

To be clear this did NOT happen to me but many users on reddit
Just figured I’d pass on this warning, I just read through a TON of reports of about a potential data breach at nicotine river.

For more info

Copy and paste follows here

"irst, emphasis on the word “Possible.” I am making this post to both warn people and determine if it is widespread. So if you have ordered from them recently please check your email/spam and comment if you have received a similar email.


I use an email forwarding service that generates a unique email address for each website/online account I use and forwards all messages to my regular inbox. I have exposed this address only once, a single order at Nicotine River about 6 months ago. I am relatively confident that Nicotine River is the source of the breach, as I have witnessed this several times with the email system I use.

Today I received a classic scam email to that address:

Stolen personal information in the subject line (such as name, password, or address) to get your attention

Threat that they had obtained a video from my webcam to blackmail me with ("hand to gland combat" haha).

Demanding payment in crypto currency to prevent spreading the video to family and friends  

It is unclear what information was extracted. The email subject was my real “firstname lastname ID########.” I’m unsure what the 8 digit ID number is. Possibly a customer ID from a CRM database?"


Many users are reporting the exact same e-mails
another thing pointed out here

"River Supply Co. uses Shopify as their e-commerce platform and Shopify is the platform where your data was held. Shopify has had various data breaches and or vulnerabilities exposed in the last year including this one: https://www.zdnet.com/article/shopify-api-flaw-offered-access-to-revenue-traffic-data-of-thousands-of-stores/ "


So has River Supply said anything in response to this?


Son of a bitch I got it too.


No, but this was posted a few hours ago, NR is active on reddit I believe and they have been tagged

I will update if/when they respond.


I’m sure they’ll chime in.


Hey everyone, we’re aware of the situation. This is not confirmed and we are currently working closely with Shopify as all of our stores data goes 100% through their platform. In order for any data to be stolen from our site, it would have to be stolen from Shopify which is home to over a thousand e-commerce stores.

As of now, do not respond to the email. It is purely spam and is intended to scare you by threatening your privacy, it’s a commonly used method explained here: https://www.merchantfraudjournal.com/sextortion-email-scam/

Thank you, when I have further details I will convey them here.


@Nicotine_River as a customer, I appreciate your fast response here. Realizing RSC and Shopify are different entities, any info is always greatly appreciated.


@Nicotine_River, and all, I want to take this time to pass something on, that MAY offer an ALTERNATE possibility. I run typically 12 different email accounts (or more), and have received the above sexdortion emails before. I would like to HIGHLY recommend checking all of your EMAIL accounts to see if THEY have been compromised, and/or INVOLVED in a breach AS WELL.


This site is legit, and has been doing this for over 6 years now. I HIGHLY RECOMMEND you check ALL of your emails. Let’s be honest, breaches are happening now with increasing regularity. I had one email account (trasher account, not used for anything secure) contained in TEN different breaches, so it IS HAPPENING, and YOU should check.

Don’t think it’s legit, leery, not sure who they are ??

Also, if you want to be 1337 (Leet, Elite), you should sign up (for free), and with NO personal information needed, to MONITOR ALL of your email accounts, as Firefox/Mozilla have partnered with HaveIBeenPwnd.

I do a LOT of research, AND test myself before I recommend ANYTHING, just so you know. Knowledge is power, so DON’T be left out here.


I check regularly. Never had it happen.


You’re one of the LUCKY ones @Silhouette. I had a client who I was advising who kept noticing suspect activities, and kept ignoring them. Time went on, and he finally asked me to help, and we dug around, and found he (accounts/email/logins/passwords) had been involved in no less than 20 different breaches (he had multiple accounts, and it was unclear exactly what info was compromised PER breach). Knowledge is power.


I’m freakishly paranoid online. My names, are mostly fake, like Jim Bob MacGruber. Freakishly paranoid. Hugely. Just saying. Some places, it has to be right, but most often I lie.


I’ve been pwnd!
2 breached sites!
to make it worse I even used my real name as my email
I have noticed lots of weird things happening too like my EA and ubisoft account being used all over the world and bliZZard password being reset

I don’t use them anymore really so I ignored them
My bank and email is safe though but I’m not taking any chances time for a new email
Thanks drummer!

The next world war is cyber


Hehe, nothing wrong with lying @Silhouette. I’m not saying this is what happened regarding the OP here, BUT, you guys deserve to know what IS going on out there, regardless of any possible Shopify issues not withstanding.

Here’s an example of a client who does small web design contract work. He was bumble-fucked when he saw his …


Well look guys, I didn’t mean to pour GAS on a FIRE, I just want you to be AWARE, that’s all. NOW, what does it mean IF you’ve been pwnd ?? Well, might NOT be a bad time to change some passwords, especially on the email accounts, if that password is shared or similar to others, maybe change them up to. Sure it’s a pain, but not as painful as other things. Just because you’ve been involved in a breach, doesn’t mean you’re guaranteed to get web raped, BUT, it COULD be a nice friendly little reminder, time to change some passwords, security questions, I mean, it never hurts.

Sorry for any possible derail of the OP.


@Silhouette you had me at …


For those who are skeptical regarding their payment information. Payment information submitted to a Shopify store is kept in a securely encrypted, entirely separate location and cannot be accessed. We do not keep any payment information on file and never will due to these reasons.

I will respond here when I discover further information regarding this matter. As of this moment, this is still under investigation.

Thank you


@Nicotine_River thanks bunches for responding! If I could fist bump through the screen, I would.



I got your back @Silhouette.



Damn I know it wasn’t my fist bump to take but I did it anyhow - I should have been more careful :grinning: