First, emphasis on the word "Possible." I am making this post to both warn people and determine if it is widespread. So if you have ordered from them recently please check your email/spam and comment if you have received a similar email.
Backround:
I use an email forwarding service that generates a unique email address for each website/online account I use and forwards all messages to my regular inbox. I have exposed this address only once, a single order at Nicotine River about 6 months ago. I am relatively confident that Nicotine River is the source of the breach, as I have witnessed this several times with the email system I use.
Today I received a classic scam email to that address:
- Stolen personal information in the subject line (such as name, password, or address) to get your attention
- Threat that they had obtained a video from my webcam to blackmail me with ("hand to gland combat" haha).
- Demanding payment in crypto currency to prevent spreading the video to family and friends
It is unclear what information was extracted. The email subject was my real "firstname lastname ID########." I'm unsure what the 8 digit ID number is. Possibly a customer ID from a CRM database?
​
Edit:
To be clear, I'm not necessarily trying to put blame on River Supply. I just found myself in the unique position of using an email address 1 time and receiving pretty compelling evidence that my personal information was compromised. Figured this was the best place to find people that may have had the same experience and could help investigate.
I have seen nothing to suggest credit card info has been stolen. Regardless, I recommend everybody check if there credit card offers virtual cards. If not check out a service like privacy.com. I used a privacy.com burner card on this transaction so worst case they got a fake email address, a useless credit card number, and my address. And a sweet video of me jackin' the bean stalk according to the spam email.
Hey everyone, we're aware of the situation. This is not confirmed and we are currently working closely with Shopify as all of our store data goes 100% through their platform. In order for any data to be stolen from our site, it would have to be stolen from Shopify which is home to over a thousand e-commerce stores.
As of now, do not respond to the email. It is purely spam and is intended to scare you by threatening your privacy, it's a commonly used method explained here: https://www.merchantfraudjournal.com/sextortion-email-scam/
Thank you, when I have further details I will convey them here.
A few things
- Alarms and Worries me this silence
- I see you have not offered us anything for having our data stolen and blackmailed.
- By law are you not supposed to notify us?
- Will you say what action you have taken to stop this from happening again?
I know that I was just about to make another order a small one at 120ish hadn't finished it. Had the money, still do. Just recommended your company, really want to make a new order but. I would like to feel secure in doing so. I have been waiting on a word back from you before placing a new order. Been 19 day's or so
A %off discount and free shipping for 100mg+ would be nice, after all how many people would call to place order for the discount or is there a different way
Ty about to place an order somewhere
Cheap fuck
I'm cheap? I had a blackmailing email emailed to me. Heard nothing back about it. Still no reply. Has nothing to do with being cheap. If you bothered to read the rest of thread about 20 days ago this was and my father was involved. I just might go see a lawyer Monday about this. Still nothing from them telling me my sensitive personal secret information was stolen from them.
And by the way a simple here have this as a apology is a time honored tradition businesses
Btw isn't your reply disallowed
As someone who uses Shopify for their own business, don't pass blame. You guys gotta approve all the apps that access your customer data. Shopify doesn't send emails, so either someone was sloppy with their password or you guys let someone steal this data through negligence.
Hey youreawasteofspace, regarding our apps Shopify already has a team doing an investigation on all apps associated with our website for anything related to these scam/blackmail emails. Although Shopify houses 100% of our data if this is related to an app that is improperly accessing our customers email addresses, it will be deleted immediately from our store.
For those who are skeptical regarding their payment information. Payment information submitted to a Shopify store is kept in a securely encrypted, entirely separate location and cannot be accessed. We do not keep any payment information on file and never will due to these reasons.
I will respond here when I discover further information regarding this matter. As of this moment, this is still under investigation.
Thank you
Hey everyone, just an update. We're currently awaiting Shopify's confirmation regarding the situation, but ours and Shopify's educated guess seems to be that an app that has access to our,
Customer Names
Customer Emails
was somehow linked to a breach that also included that data from our store. This is still not confirmed, but is expected to be soon. For those still curious, all of our customers payment information is kept in an entirely separate encrypted location and is safe. We appreciate your understanding and hope to check back soon. We'll have confirmed source of these spam emails once and for all!
Referred to us by SessionDrummer on ELR. If you'd like to check out your emails status regarding data breaches go here,
Thank you everyone for your patience!
Thanks so much for the heads up, from now on I will remember not to play with myself while shopping at River Supply Co...hard as it is to contain the excitement caused by the anticipation of trying new flavors.
Yep, I have the same email in my spam, it has my full name (middle initial) in the subject. Thanks for the heads-up, time to call my bank...
Same here, also got the same exact email. Jokes on them though, I have no webcam and I'm broke as fuck anyway lol.
A member on ELR showed me this site,
it can show you if your email account name has been acquired by known data breaches
NOTE: if pwnd it does NOT mean your email is hacked just listed.
I just checked and I actually have been pwnd by an adobe breach, my email and bank is safe
but considering I used my name as my email like an idiot years ago,
I'm not taking any chances time for a new one
all you need is a new password
once your email has been pulled, it is now pretty much a known and shared target forever.
​
my EA and ubisoft account is already being used all over the world (Like I really care) and bliZZard account password was reset recently, steam is still safe.
hackers and bots start cross referencing for other usernames you have used build a profile, brute forcing passwords etc
plus like I said i used my name for my email long time ago when cyber warfare wasn't just a hot deal, these days that can be a pretty serious issue with identity theft.
So it's also a privacy thing and it's easy enough to make a new one
> Yep, I have the same email
Same here. It freaked me out at first. Not the masturbation part lol. My full name and email adress sent from russia with love by some dude named Nikolai. I was wondering how they got that information..
I got a similar email yesterday. I have only used this email at nicotineriver and big sites like amazon/walmart. Here is the email text:
"A large number of lovers of tickling their schlong on adult sites after a while receive this text!
Terrible video of you tickling your wiener was shot using your web camera. I believe that your family will be surprised by it!
My spyware stole all ur enquiries, accesses to ur social networking sites and more data.
My english literacy leaves much to be desired since I am a foreign citizen (don’t try to consult with legal bodies they won’t be able to catch me).
You destinate 10.5 Lite coin to the address ltc(removed by me) and I will eliminate all of your staggering videos.
I give u 24 hours to perform payment for my silence (my system will notify me that you have opened the text)!
If you neglect these demands I will destroy your public image in front of your relatives, within forty-eight hours all ur compromising data will be directed to ur contacts and ur social networking sites.
This electronic-mail is short life, soon the access to it will be denied, don’t write to it."
I got this exact same one. hmm.
any precautions i should take with my bank and such? i just reported it as spam.
CVC's should never be stored on the site itself. You should have to enter that every time you make a purchase, which will probably end up saving everyone the trouble of dealing with getting a new CC #. I find it unlikely that they have enough of your credit card info to make a purchase. If they did, they'd be running a much more silent credit card scam instead of this. I'm sure Nicotine River has poor security, but to fuck up so bad that people get the entirety of their credit card info stolen such that the thief will be able to commit fraud with it, that's almost impossible to do.
So if I respond to the email with my goto dic$ pic would that go to nic rivers customer support... sorry Tyler didnt mean to send it to you.. but in my defense it was january and I just got out of the ocean /u/nicotineriver Can I get that discount code now out of pitty
River Supply Co. uses Shopify as their e-commerce platform and Shopify is the platform where your data was held. Shopify has had various data breaches and or vulnerabilities exposed in the last year including this one: https://www.zdnet.com/article/shopify-api-flaw-offered-access-to-revenue-traffic-data-of-thousands-of-stores/
True. Could be any number of issues. I was previously involved in a small eCommerce site. The number of platforms that customer information can be shuffled through is staggering. Shopping cart, payment processor, email marketing, analytics software, CRM, etc
I recieve emails from them (never once ordered from them.)
I recieved a similar spam message a couple of days ago. Can't say for sure if it was them or not. The only information they obtained was my full name and an ID #, which I have no idea what the ID number is for.
Thank you. I've had my credit card breached twice by what I believe are vape shops. I am extremely pissed that these companies won't disclose this. I have avoided some shops out of fear of cc breaches: so potentially good shops lose and bad shops profit from my misfortune.
I got one. Asking for 2.4 btc, that’s 21810.1 usd as of right now.
I just tried logging onto NicRivers site and my account doesn’t exist now.
Bruh mine asked for 8 lmfao
Edit: I couldn’t log on to mine, but idk if the password was changed or I couldn’t remember, so I reset it anyway.
Probably a good video. Or you did something raunchy.
Got 1 lastnight at 9pm. Saying So you like to masturbate had my real name and a id number idk of. Wanted 8 lite coins or theyl send photos or video of me masturbating. I used NicotineRiver before Black Friday and rite before Christmas. I just deleted and changed passwords it was a email I use for junk and ordering stuff anyway. Found the email kept giving me an error messege after changing password when I try to check other mail so I shut it down and made a new junk email.
I ordered mid December. I got an email yesterday calling me a masturbator
I checked my email and spam folder and no email like this and I have ordered from them probably 25 times, last time was probably a month ago or less.
Was it sent this morning? I checked for time stamps for today and a few back for yesterday as well.
I've had 2 orders this past month, has everyone else who got the email ordered recently as well?
Woah I got the same email. Do you guys recommend changing passwords too? How severe is this data breach. Is it just access to our email address and name or is it a lot worse?
No evidence of anything besides name and email. Not even conclusive evidence nicotine river was the source or had anything to do with it. Probably no need to panic.
But if you use the same password on multiple sites, then yes change them. Not because of this thread, but because that's dumb. Get a password manager.
I got this email recently as well. Just a heads up, the account name and credit card holder name were different on my last order. The scam email used the card holder's name and not the name on the Nic river account
So. Is there video?
I'll reply and ask for a sample
I too have received the email. I went ahead and paid them.
This sounds an awful lot like an email/phishing scam that has been going around for a while.
Two things: I would be careful pointing the finger at any source, until you have absolute incontrovertible evidence of that being the source. I would also not respond to the email, as you will be pegged as an "active account" for any scammers keeping track.
These sentences contradict each other: >First >I use an email forwarding service that generates a unique email address for each website/online account I use and forwards all messages to my regular inbox. I have exposed this address only once, a single order at Nicotine River about 6 months ago.
If you are using what I think you're using, your real email address shouldn't be exposed. Or are you saying you used your real email address for the NR order?
My real personal address wasn't exposed. It was the address unique to that single NR order that the spam message was sent to. My real name was in the subject line, suggesting that they accessed shipping/billing info.
I have a received 3 messages to that email. NR order confirmation, NR shipment confirmation, and spam message today.
He's saying he used a virtual email address once, on a single order at Nicotine River. Hence, with a data breach, the scammers would get his real name address, credit card information and the virtual email address. Irrefutable evidence that NR has been breached.
I got the email about exposing me for wacking off if I didn’t pay up. Lil do they know I keep my webcam covered. ;) lol
I also use throw away email accounts, random generated passwords and privacy dot com cards.
Ain’t gonna get me that easy. Lol
Thanks for the psa though I haven’t pinpointed which site or platform got hit as of yet.
Was checking my gmail and I have it with my father's name who we ordered under since he paid upfront for me because I didn't want to wait.
Wasn't to happy with river supply co but was about to give them a second chance now not to certain.
I've got to wonder if my information is safe
This could be a useful data point. Have you associated your father's name with your email address in the past? Or just for river supply order?