Warning: Zavvi Account Hacked/Compromised - Check Your Details

LCliche Guevara on 24/11/2016 - 13:17

Hey folks, just advising that if you have a Zavvi account (part of TheHut) you might like to check your password (change it) and delete any stored credit card details.

Last night I got a standard email from Zavvi informing me that I had just placed an order (for Battlefield 1-PC) for GBP42.99 + 0.99 postage.
I did not make this order. In fact I have only ever purchased once on Zavvi more than two years ago (thanks to OzBargain…).
I checked my CC (28degrees) and sure enough there is a pending transaction for $73.40.

I tried to login to the Zavvi account but it says either email or password not recognised. So I tried the forgot/recover password.
Got an email sent to my "correct" email address but it said there is no registered account for that email - the same email I just got the order message sent to.

So I can only assume that immediately after the purchase the "hackers" changed my login details somehow (and probably the delivery address etc).
I'm not sure how Zavvi deals with CC details but I'm guessing the CVV is either not required or is stored, otherwise I don't know how they could make the purchase. On the surface it actually looks like I did actually make the purchase, except I now can't login to my Zavvi account to review the order.

So, since most of these online store have abysmal customer support, there is no way to contact them except through an active account.
I had to register a new account. Sent them a message and got the typical fob-off response saying they can't review "my order" except from the account that made it. They just seem to ignore that I was mentioning a hacked account and unauthorised purchase. And typically this "customer support" email comes from a do-not-reply email with no support ticket number for followup.

This morning I canceled my CC and will now have to wait until the pending transaction is finalised and try to claim the money back.
I'm also reviewing my password use on different accounts in case attempts are made to gain access to other online stores I've used.

I won't be using Zavvi again and advise those that do to check how the CC details are dealt with.

Anyone else have any similar issues with Zavvi, TheHut or other online stores and fraudulent purchases like this?

General Discussion

Related Stores

Zavvi UK
Zavvi UK

Comments

  • scotty on 24/11/2016 - 13:54

    If it is Zavvi's problem then the incident might have exploded at HotUKDeals. I googled "Zavvi Hacked" and can't seem to find any relevant recently. Maybe it's your Zavvi account getting hacked (for example reusing a password that you use elsewhere), rather than the site being compromised?

    • Cliche Guevara on 24/11/2016 - 14:21

      Yes, it's possibly only my account - I am guilty of using same/similar passwords for similar types of logins (i.e online stores).
      But even so, they could only have made a purchase with my account details if my CC details and CVV were also stored in my Zavvi account or Zavvi don't require the CVV ???

      The fraudulent order email had all my correct address details - it was as if I had actually made the purchase.
      But I then couldn't login to my account.

      The only other option is "full conspiracy theory" and it was an "inside job" by Zavvi (or Zavvi employee) and they put fraudulent purchases on dormant accounts hoping that people won't notice. Their customer support process is woeful and it'd be nigh on impossible to have this sort of thing sorted out.

      • Diji1 on 24/11/2016 - 15:13
        +2

        I am guilty of using same/similar passwords for similar types of logins

        It's most likely this.

        Since 2012 there have been a series of mega-leaks/hacks where billions and billions of passwords were made public. This has meant not only having a huge database to try but also has made guessing attacks much easier because it's revealed that people "make up" passwords in predicable ways.

        Get yourself a password manager - it will make you lifer easier aside from anything else. You will have one password to remember. Then every time you login to a site make a new password for it using the password manager.

        Lastpass is free.

        • Cliche Guevara on 24/11/2016 - 17:04

          Good advice. I already have a LastPass account - just never used it. Stupid eh? Will be doing so from now on.

        • illumination on 24/11/2016 - 19:44

          Then every time you login to a site make a new password for it using the password manager

          I agree from a security point of view this is definitely the most robust and I've always been a fan of this.. however I find the problem is if you're someone that uses more than one device, especially where one is a work device. Depending on your access rights you may not be able to install add-ons/software. Basically it means you won't always have your password manager with you.

        • scotty on 25/11/2016 - 10:53

          @illumination: Just get Lastpass on your phone, which has recently made free.

  • jasong on 24/11/2016 - 14:49
    +2

    Worth checking your email address here: https://haveibeenpwned.com/

    • Cliche Guevara on 24/11/2016 - 17:05

      I checked my two main email addresses - not pwned. So that's good, I guess, but doesn't mean they haven't been individually hacked.

    • gooddealmate on 25/11/2016 - 12:10

      I'm getting spam emails for the 1st time after using that website yesterday. Too much of a coincidence. Avoid using it.

  • geek001 on 24/11/2016 - 15:24

    Speaking of which, I noticed that I have started getting spam using the email address I used for Umart orders. I think Umart might have been hacked too.

  • [Deactivated] on 24/11/2016 - 19:43

    Interested to find out the delivery address.

  • Cliche Guevara on 29/11/2016 - 10:36

    UPDATE: managed to convince Customer Support that the issue was worth pursuing further. I sent a screen shot of the Order Confirmation which has the order number and my actual name and address. I told them if the delivery address is now different that's evidence my account was compromised. Anyway, was asked for my phone number so they can get one of their "security" personnel to contact me. Still awaiting a call…

Login or Join to leave a comment
Login Join