I'll post the message I sent to them. This isn't a "torch and pitchfork" type post, this stuff happens, just an FYI to keep an eye on your CC statements if you've made an order through them.
> This is purely for information, no finger-pointing or denigration meant. Whatever system (or 3rd party) you're using to store credit card data seems to be compromised. My last order through you was approximately 10 weeks ago (05/02/20), using a Privacy.com virtual credit card. That card is tied to only this merchant, it can't be used anywhere else.
>
> This morning (07/19/20) I was notified by Privacy.com
> "$0.00 charge at AIRBNB INC declined on your Heartland Vapes card because it was already in use at HEARTLAND VAPES LLC. Cards can only be used at a single merchant."
>
> Someone has accessed the virtual card data and appears to be testing it. There is no area in my account details where the CC details are available, so this isn't a simple compromised account. This wouldn't be a Privacy.com compromise, because beyond that account using 2fa, if they were in that account they would have my actual credit card information.
Not surprising, happened to me a few years back on a new card that only had 2 transactions(McDonalds and Heartland), the bank caught it due to them buying a train ticket somewhere in the EU!
Took a look on built with.com and got some evidence for my hunch. Heartland vapes is built on Magento e-commerce CMS. There is a known exploit in Magento that keeps getting recycled as it updates which grants the actor access to the database. The attackers are able to create a credential that will allow them to access those stored details at will. I don't have causal evidence, but this shoe fits pretty well: https://community.spiceworks.com/topic/2281679-snap-magento-s-backdoor-edge-updates-g-suite-security-features-sunlike-star?source=start&pos=21 I'm pretty sure ECX had a similar problem in the past.