Possible data breach at Nicotine River

I haven’t ordered from nicriv in like 8 or 10 months…

@Sprkslfly ok, even more strange, I used the email that received the scam message to place my last order with nicriv, which was in March of last year, but I did not have an account registered with them with that email address, just ordered as a “guest”…but I do have a nicriv account registered with one of my older emails but have received no scam message to that email…

Remember, it was Shopify that had the breach, and River is just one of many Shopify customers. It’s certainly possible you are receiving suspect emails from another vendor.

Ah, that makes more sense lol idk who else uses Shopify…I haven’t ordered anything at all since August though… I’m so technologically backward it would blow most people’s minds lol i probably shouldn’t be allowed to shop online in all reality

@Dan_the_Man, @PiercedJon pretty much filled in the blanks. My opinion is similar. IF your email IS on the list, i.e. pwnd, that isn’t necessarily the end of the world, but it depends. If you registered an account on a vape store site, never purchased anything, their database gets compromised, your email will show on the list. What does that mean, well it means they at least have your password for THAT site (unless you use the same one elsewhere). Doesn’t mean your personal email account itself got hacked.

So what to do, what to do ?? If depends @Dan_the_Man, if you want to be cautious, and know ROUGHLY how many sites you’ve logged in with, or order using, or provided CC details using that email address, it might NOT be a bad idea to CHANGE your passwords.

It DOESN’T have to be hard if you choose to do so. I have all my purchasing sites in a folder, and broken down from there, so it is an easy click, click, change, and repeat for me. If by chance you use that same email for say your BANKING account, INVESTMENT accounts, well, probably not a bad idea to change THOSE passwords.

It’s NOT required, but it’s never a bad idea. If you have the option to enable two factor authentication, especially on high priority accounts (like text or email you a code when a login occurs), that’s almost ALWAYS a good idea too.

Your mileage will vary Dan, and don’t let the pwnd throw you too far off in the dirt, might be a simple breach from Adobe when you registered a new product, used a unique password, and with no real consequence, but sometimes, never a bad idea to ERR on the side of CAUTION.

Breaches are happening now with increasing frequency, and I personally have soo many emails as I segregate them (as mentioned above), which keeps things sandboxed or isolated. That may be a bit much for most people, but it’s added lockdown for me.

If it helps @Nicotine_River I got the same sextorsion email to the email I use with you guys but what is more worrying is the name that they addressed it to was the name on my credit card (which only has my first and middle initials rather than my full name). I hope you get to the bottom of it.

Me too, the only place my name is written as they have it is my bank card. First full, middle initial, last full.

Btw, is it a risk to simply open the email to get a kick out of what they wrote? Or, is replying to it the real danger? Anyone know?

I sent them a fake bounce message maybe they clean their list lol

Way over my head…what’s that do?

Well maybe nothing but if they scan replies to the email it is basically a message from the email server saying the email address doesnt exist so don’t bother trying it again.

Please do not reply to the email. Ignoring it is highly recommended as replying may trigger the emails to contact you furthermore.

Currently from our knowledge the only information that has been accessed is,

Full Name
Email Address

We’re under the assumption that these names and emails were breached due to a third party application either: misusing our data for unintended purposes or the app was breached and our data is now compromised due to that apps accessibility to our customers names/emails. These are purely assumptions and educated guesses though and are not confirmed answers. I can definitely say though that your payment information is safe as Shopify does an excellent job encrypting that information. Not even I or anyone within our store can access our customers payment information.

We’re working with Shopify now and will continue to do so till we pinpoint the cause of these blackmailing emails. Thank you everyone for your patience, this is our top priority!

To answer that question @Plunderdrum there is risk in just opening it. Mostly from increased spam, but why take a chance.

Depending on what email client you have, some of the better ones can preview without loading, stripping all images, even single pixel tracking .gif’s, etc.

The rule is, when in doubt, throw it out.

@Nicotine_River I’m sure a rather hectic time currently, but I appreciate you taking some time to keep everyone here, in the loop. Thank you.

Yeah, I miss the good old days where you could change a default setting of “do not send a ‘read’ receipt”.

To the best of my knowledge now, the only way to do that is to pay for the “privelage” of access to the hotmail/gmail/etc POP3 servers, and continue to use an ACTUAL email client (where you have the ability to control such settings).

Correct me if I’m wrong (please!!). I’d welcome the change to have that level of control again.

Derp.
Gotta love a good workaround. lol

Thanks for the “Gibbs”!
I appreciate it!

I am not sure where it is in gmail but as I use gmail to host my domains emails I can actually control this. I am sure there would be a way from within gmail as well.

But if you host your domain email with gmail

• In your Google Admin console (at admin.google.com)…
  Go to Apps > G Suite > Gmail > User settings.
• If you’ve created suborganizations in your Admin console, under Organizations at the left, select the organizational unit you want to configure settings for. The Organizations section isn’t available if no suborganizations have been created. For details, see “Configure advanced settings for Gmail”.
• In the Email read receipts section select ‘Do not allow read receipts to be sent’: Disables requesting and returning read receipts.

Sorry for derailing, but since we’re talking email, you want to prevent image loading, and html as well, if you’re concerned…

Another option is to use an email client such as Thunderbird, which blocks remote images by default; the application allows you to download embedded content on an individual basis, or whitelist contacts that you trust not to send hidden code in their images.

Thunderbird rocks it pretty hard with great default settings, and it’s a breeze if you are a multi-email emailer.

Is this what your talking about?

ugly email

Gmail extension for blocking read receipts
and other email tracking pixels.

Note: have not used this and I don’t endorse it only for research purposes therefore I
removed the link

Im looking into this stuff as well now.

Also the other day I installed a firefox extension that injected a javascript into EVERY single webpage it was called loungescr .net and I was getting popups even with adblock installed.

I bocked it with noscript before I found out what was actually causing it.
Nothing is safe anymore

No. It was a setting (way back in the days of w98/wXP) in Outlook Express.
[the dominant email client at the time]

Yeah, you have to be really careful with your choices of extensions these days. =/

When did you get it? Email date? I’m looking through my emails now.