Hi all,
Just a heads up my KFC app was recently compromised allowing someone to spend around $70 bucks on finger licking good chicken. Might be worthwhile for anyone with the app to change the password.
It was attached to my paypal account who I contacted stating what happened. They basically said it was not an unauthorised transaction as I had approved the merchant. Case closed. Bank also notified all passwords changed.
Hopefully I am just unlucky and its a one off.
Not really. This wasn't Paypal being hacked. This was you allowing someone/something access to your Paypal, and that something being hacked. That's on you or the other app. Don't see why Paypal should be responsible for you allowing others to access it.
Thought it pertinent to notify all parties albeit I was surprised that their protection policy would not cover such events.
Not really fussed either way just getting it out there so it doesn’t happen to anyone else. Wasn’t complaining about PayPals disregard. Just makes me wonder why I should continue to use it.
It’s a bit like a leaky condom!
So someone guess your email and/or password? Could be your ex ?
So you didn't get any emails about the purchase?
Find the store, ask for CCTV?
This is why I don't use the app
I don't want to cover up a paper trail every time I spend $70 at KFC
This is why I use the app but always pay in store.
Not available to pay in store no more since covid unfortunately. The best way is to always cancel the lame paypal auto payment sub straight after ordering
any idea when pay instore will come back for app order?
Thanks for the heads up.
Did you let KFC know? They may refund your money. Also how did you log into the KFC app? Facebook or email/password. Your facebook could be hacked. Or if you reuse your password over a few different logins this can happen if one is compromised. Make sure you update your password and for any websites that use the same email/password combination.
Thanks minnie, KFC, Paypal and bank all notified. I never use facebook or google to log in to other accounts as I prefer to have unique random passwords for everything.
The only possibility is if my wife reset my password at some point but she doesn't recall doing so. I have only ever used the app once.
Anyway just wanted to remind people to change their passwords regularly. Not about pointing blame as others have implied. The bank will refund the transaction as its a service protection they provide. Its an insurance policy we are benefited by the interest and bank fees/charges we contribute.
So did KFC refund your money?
Still waiting for a response from KFC. Basically I just notified them of the incident.
Interestingly:
1432 received an email stating my email address was updated however it was updated to the same original registered email address which is odd. (I use a secondary "spam" email for such accounts).
1439 KFC email Re order received
1439 Paypal email Re receipt
1439 user checked into store
All passwords changed within 10 minutes.
Not sure why they would have updated the email address?
Nah your details are compromised, not the app. People always blame others first.
so we dont need to change password? unless kfc makes an announcement?
Are you sure it wasn't your details are the same for another site?
Go to https://haveibeenpwned.com and check
Nothing to do with KFC.
It’s always possible but I’m fairly vigilant with my passwords and probably over the top of anything. 10+ key gen with lastpass for everything.
Kind of impressed that they got free chicken! Probably some kid shouting his mates.
"It’s always possible but I’m fairly vigilant with my passwords and probably over the top of anything. 10+ key gen with lastpass for everything."
Was your KFC password unique and random?
Someone ordered maccas with my account.. but that was due to the same password being used over and over
@knick007
what does this mean?
"Oh no — pwned!
Pwned on 8 breached sites and found no pastes (subscribe to search sensitive breaches)"
(out of all my emails, only one had the above message )
It means that email was found in 8 breaches. I'm up to 10, damn younger me.
Basically your email, password and whatever other details were on the sites breached have been compromised and need a password change. (If you use any of the passwords in the breach on other sites, they'll also need to all be changed)
oh right thanks
Just curious, how does my details get compromised? and what do you mean the "younger me"?
also, when you say that below, how do you check which password are breached?
"(If you use any of the passwords in the breach on other sites, they'll also need to all be changed)"
@ATTS: Younger me signing up to shady sites ;)
How they get compromised, hackers. (If it's on pwned it's usually a site/sites that have been breached, not you personally)
I use Google's password manager now, every time I visit a site it advises if my data has been breached for that site, I went through every site it had my passwords for and changed them all to unique anyway.
Previously I randomly selected one of the 10 or so passwords I had in my memory bank.
On the pwned website once you've put your email address in, scroll down and it has a list of the breaches.
Adobe and under armours myfitnesspal are 2 of mine, the Adobe one included password hints as well which sucks.
4 were piracy forums which contained IP addresses as well.
It means your details were exposed at some point. The details should be on the site
Are you sure you didn't sleep KFC? lol
Bunch of fatties not even i do $70 buck worth of KFC in one go.
Had an obvious double payment that Paypal rejected. I had to appeal and it was passed. Easier to speak to someone though.
OP prolly used public wifi.
Really? Thats the best assumption you have out of all of this?
No I didn't use public Wifi +1 for whats its worth Mr White hat.
There are a multitude of avenues the password could have been compromised. But everyones an expert I guess!
Well then, bad luck for ya.
I just had the exact same thing happen. Someone in Burpengary made a $65 KFC purchase. I believe the app is leaking information
Update KFC came to the party and reimbursed the amount in full.
No free hot and spicy for my troubles tho.
Someone did the exact same thing with me too, made a $69.25 purchase in QLD
Could you by anychance let me know the process you took to get your money back?
Hey mate. I just reported it through customer service. They were really good about it.
To this day I have no idea how it was compromised given I use randomly generated passwords for everything via Lastpass.
Best of luck with getting back your hard earned money.
Also reported to the bank and PayPal.
cheers mate, I will contact KFC
Enable PayPal 2 factor authentication for payments. You'll get sent an SMS with a code that you need to input on the payment. Helps prevent loss.
I wish apps would allow u to delete your credit card once you make a purchse, but its saved on their database
you can delete it on the checkout screen, when you choose which Saved payment method to use.
Got 12 verification code emails from 4:45pm today hmm
Today while I was making an in-store purchase at KFC Berinba QLD with my Mastercard, someone else was using the KFC App to make an almost $39 online purchase on my account at the KFC Garden City Food Court store some 35 kilometers away. When I was notified of the transaction by email, the transaction receipt showed that someone called Jake Parker had used my telephone number, email address and credit card number to make the fraudulent transaction. As I do not know anyone by the name of Jake Parker, and the transaction occurred 35 kilometers from my location, I can only assume that someone has hacked the KFC App database and used existing customer details to open up a new account with KFC. Why didn't the KFC App pick up the fact that my email address and telephone number were already attached to an existing account? When I checked my own KFC App on my mobile phone, there was no record of the fraudulent transaction. I have notified both KFC and my bank regarding this fraudulent transaction but have had to go through the inconvenient process of canceling my credit card in case the culprit tries to use my personal information elsewhere.
The PayPal protection policy needs to be updated to reflect that they only protect themselves…