Page 1 of 1

Email someone shared about Data Breach on JJmeds

Posted: Tue Mar 06, 2018 4:42 pm
by cbdflower
Email received this morning.

We feel obligated to inform you: This weekend was devastating for us... On Sunday we took down the site to best deal with a terrible situation we wanted to inform you about.

Drama: On Sunday morning, March 4th, JJ Meds was attacked. We got an extortion threat from [email protected] (not Herb Approach, the online cannabis shop) demanded funds to prevent a customer information leak. This person is also trying to extort other MOMs as well.

What we did: Once the team leaders found out, we took immediate action to address this situation. The website was taken offline Sunday afternoon, March 4th All IDs and images were permanently removed We hired a security company to remove malware and any other hacks to our website The website is revamped and being moved to a more secure server

What this means to you: The JJmeds website will remain offline until security is ensured Some of your IDs may have been viewed All paid orders will be honoured

How did this happen: According to the security audit, there were malicious codes injected into the site last week, which allowed for plug-ins to be hacked. Securely locked directories were permitted to be public and a couple of sitemaps were created with a compromised plug-in. Based on our security audits, it was only a few days ago that a hacker did this. People who are tech savvy and looking to damage websites can find these codes and see private files.

What was the extortion? We got an email claiming that we were hacked and that if we didn't pay a $1000 bitcoin bounty, IDs would be leaked. A few hours later, one person went on a popular website and posted links to proof of IDs and images showing on our website. Note: there is no proof that all the IDs are offline or that there are any zipped files out there.

This person also went on a popular cannabis chat site and claimed that he worked for us and as a 16 year-old person, we took advantage of him and owed him $5,000. Both these are blatant lies and not true... we have all the people that we started with still here. There is much reason to believe that the only access this person had was the hacked link on our website, not the back end, meaning the majority of the IDs have not been compromised.

This what we know currently, and we wanted to share that with you, our member. We have never sold any information or shared emails and IDs with anyone. Every action that we can, we are doing to remedy this situation and prevent this from happening again. We are sincerely sorry to everyone for this devastating act of terror.

Why did we keeping IDs Because there are major prosecution and up to 14 years of jail terms for selling to minors, most online shops have an ID requirement. We instructed an IT professional to delete all IDs and images. We do not have an offsite copy of any IDs, on our computers or on the cloud.

Moving Forward: Security and privacy are of utmost importance to us, especially to you, and we are taking drastic measures to ensure that this doesn't happen again. We're not here to scam anyone, and we will never do an "exit scam" or intentionally hurt anyone.

All orders that are paid for will still be sent out. If you have any questions, please contact us at [email protected]

Thanks for your patience and support. Once we are back, we will provide a special to all customers as a thank you for your support while we fortify and recover from this attack.

Our team relies on JJ Meds to feed their families, so we are all deeply injured. We recognise how big of a breach of trust this is and we are committed to earning it back. My partners and I hope to do everything we can so that we can keep providing you with the meds that you love.

Sincerely, Jay + the JJM team

Re: Email someone shared about Data Breach on JJmeds

Posted: Tue Mar 06, 2018 6:39 pm
by SomeRandomNob
It's important to remember that no security system is safe, and even multibillion dollar companies are victims to attacks like these. I think JJ has done as much as they can to mitigate the damage done and I'm personally giving them another chance.

I've watched bigger MOMs straight up lie about customer information getting out because they're scared about hurting their image, at least JJ is being up front.

Re: Email someone shared about Data Breach on JJmeds

Posted: Tue Mar 06, 2018 10:35 pm
by msa
SomeRandomNob wrote: Tue Mar 06, 2018 6:39 pm It's important to remember that no security system is safe, and even multibillion dollar companies are victims to attacks like these. I think JJ has done as much as they can to mitigate the damage done and I'm personally giving them another chance.

I've watched bigger MOMs straight up lie about customer information getting out because they're scared about hurting their image, at least JJ is being up front.
Well if I search my email on https://haveibeenpwned.com I've been in multiple data breach ;P they should only store ID offline though if they need to keep them. Hopefully, they learned and other MoMs learn from that too.

Re: Email someone shared about Data Breach on JJmeds

Posted: Wed Mar 07, 2018 6:34 am
by W13
thanks for sharing, im feeling bad for jjmeds :|

they were always a great MOM, now im scared to go back