Possible data breach at Nicotine River

Son of a bitch got one of the emails this morning, never opened it. I ordered from River supply about a week ago

@Jmars Check all of your emails …

I only have one email, and it’s not really not used for much. The email posted at 3:40am from a Sabrina Lang just to get some more info out.

I’m on here too, I have used the one email the scam got sent to for all my vape orders the last 11 months, which has been from nicriv, ecx, lightning vapes, and vapeNW, no other emails affected

I got one yesterday. Can’t say it was from NR but it was the same as you describe.

My secondary email (used for junk signups, anything I don’t want primary used for) wasn’t affected. I’ve only had 3 spam emails sent to that address in a few years. My husband got the spam email too, but I think it’s been 3+months since he ordered from River Supply. He has a separate account from me also.

Also, Happy Data Privacy Day!

Yeah. Count me in on the “fun”

I do have a bit more info for folks though (for those that use email providers that have the ability to track their login history). Hopefully @Nicotine_River can use the following to help track the date/point of origin that the bastards compromised things.

Let me start by saying that my two most recent orders are a fair ways apart. And you’ll notice that the first attempts to compromise my email account precede the most recent order from RivSupCo.
So if my thoughts are on target, the breach HAS to have happened before Jan. 7 2020.

I had a tiny order on 16 Jan. 2020

The other most recent order (also small) was on 29 Nov. 2019.

Also, @Nicotine_River, I can’t currently see a way to change my password (on Firefox 72.0.2) for your website. While that’s a good thing (I hope), that should mean that they can’t either… I’d like to be able to change my RivSup password ASAP!!!

I’ve already had to change a few others (just as a precaution, even though they used other email addies). But not being able to change the one that was the cause of all of this? ermm…

The list is being spread folks. ACTIVELY.
You NEED to take things like this seriously, and ACT QUICKLY!!!

I’ve already had multiple attempts on compromising my email.

1-7-2020 (unknown)
1-10-2020 Indonesia
1-10-2020 Brazil
1-20-2020 Ukraine
1-26-2020 Vietnam

Activity684×1656 24.4 KB

Get off your butt and START CHECKING/CHANGING anything that uses the pass you used with NR/RS/anything that uses the Shopify platform folks!!

Good luck everyone.

Also, I forgot to say… Thank you @warkwarth for bringing this to our attention so we CAN take action on it.

Otherwise, I’d have been further behind the curve than I already was. I do try and check the login activity on the more important sites from time to time, but things like this always need an ‘extra’ check (regardless of when you last checked).

You rock @warkwarth, good lookin’ out!

Thanks @warkwarth @SessionDrummer
I haven’t shopped at NicRiver but I got two strange emails in the last few days:

1st was
From: wesson smeeth
Re: Hi
Body: Hi

2nd was fwd (as above):
Body: Can you pay my fine for me

I deleted them both but googled the name & checked the Aus scamwatch site = no result.

I have now used the links provided to check mine & no issues found.

Could just be a case of user error but I found it strange…
Time to change passwords, just in case

Thanks again

Ok, so this sort of thing is news to me. I checked my email and 4 breaches. What is the next steP?

Also, I did not know it’s a good idea to have several email accounts. Why?

Haven’t checked my email in quite a while, so I just looked and I see a “Thank You” mail from River Supply. I don’t even want to open it🧐 but if is is legit from @Nicotine_River your very welcome and thanks tor the cool sticker and the extra twist top caps you sent in my order😎

Your email being “pwned” is nothing to worry about. Its just that, your email address - nothing more. The issue is with other details that many have been pwned at the time, such as passwords, credit card numbers, etc. Not every site stores their passwords securely (everything from broken encryption, to no encryption in a database field) which is why using the same password on multiple sites is "a really bad thing"™.

Multiple email addresses is useful to identify possible breach sites… if you suddenly get spam into an account that is only used on one site then its possible that site has been compromised. That however only assumes that all your email accounts are really different from each other and are not brute forced (if you use a variation on a name based on site name, chances are that can be guessed for multiple sites should spammers really want to).

All the above said, I’ve had spam into accounts that have never been used as they were setup for various reasons (usually name retention)… which suggests that either the ISP or the “free” email provider has been hacked or given out/sold on the addresses to advertisers (nothing in life is truly free).

Interestingly, its been a while since I had spam emails from myself to myself… something that was hugely common a few years back.

How do you know if that has happened?

So if I use Gmail should I make the other emails with Gmail or should I use others such as Mozilla?

kinda like when scammers call you with your own number.

once your email has been pulled, it is now pretty much a known and shared target forever for brute forcing passwords and the like

hackers and bots start cross referencing for other usernames you have used, building a profile etc
They can try to get your real name which in this case is what happened which can lead to identity theft

So yea it’s still a concern I would just make a new e-mail its easy enough, you can use your old on as a throwaway and have a separate one for banking or anything important

Or be like the OP (on reddit not me) and use an e-mail forwarding service that creates a unique email for everything you use and then forwards them to your real e-mail.
That way they should never get your real e-mail address

Do I just stop using it or do I have to “clean” it somehow?

I don’t think it’s possible to “clean” it.
The email address is just listed and being shared among hackers and bots.
You can use for it anything you wouldn’t care to lose IF it ever does get hacked.
But considering they got peoples real names associated with the email I wouldn’t even use it anymore.

Ok, Thanks for the heads up and the advice. Much appreciated.

“How do you know if that has happened?”
Usually haveibeenpwned summarises the data types breached, but apart from searching for news articles its impossible to know what data was leaked if the companies don’t own up.
There is also the “passwords” link, on that site, that you can use to see if your password is in the wild… even if its not linked to an email address this is important because brute force systems often take a password lists, encrypt them, and then test that against other data leaks looking for matches (its that that creates a link between passwords and accounts). There are also well known passwords, such as 12345ab, 12E4Sab, password123… etc. which are again used to create hashes of passwords to test against encrypted passwords that have been previously pwned.

“So if I use Gmail should I make the other emails with Gmail or should I use others such as Mozilla?”
Doesn’t make much difference if its multiple accounts with one provider or multiple providers… just means that if you suddenly start getting spam for an account only used on one site there is a chance there was a breach that the site has not yet reported, or heck even knows about itself.

“kinda like when scammers call you with your own number.”
Yeah, although that seems like its more of a US problem than a UK one. In the UK its a lot harder to spoof numbers because of the way numbers are sold and registered. We don’t have any ability to mix landline and mobile numbers (different dialing prefix) so you always know that dialing an area code is a landline and dialing a mobile carrier prefix is a mobile phone so (if what I was told is correct) you don’t have a situation where the person called can end up paying incoming call charges for a call someone else made to their phone and spoofing numbers is either expressly forbidden or not possible due to the way the system works (although its possible to buy disposable/reusable, short rent, numbers and also withhold the calling number completely but police can still access withheld numbers) because only 1 telco (bt) assign landline numbers and only a few telco’s assign mobile numbers and only registered telco’s can embed the number into the dial.

I’m overly-paranoid about online stuff. I use a different email address at each site I shop on. While it is no buffer against a data breach, at least I do know which site is responsible for spam or other suspicious activity because it correlates to a unique email address. It is a pain in the ass, but I do it anyway.

And yet, I’ve had a lot of credit cards stolen over the years. Credit card companies are very good with fraud protection so I’ve never been on the hook, fortunately.

One site either sold my email address or got hacked years ago, and I still get spam emails asking me to consider enhancing my manhood or letting me know that horny singles are in my area tonight. I am always surprised to hear that, because I live in the middle of nowhere. I’ve looked and never saw any in the woods or walking down the street. I wonder where they are… I did see a lady walking her dog once but she didn’t look particularly amorous.

Hey, I didn’t see any option to change my password in the My Account section, so I basically logged out, didn’t let my browser sign me in and reset the password by using ‘forgot password’. Didn’t really want to do it that way, but I did that last night. *Also changed all my email passwords, deleted old unused accounts tied to those emails.