21 July 2022 Update: Updates about the state of our systems
If you haven’t already, please read this post first.
After a hectic few days since our first announcement about the data breach, I wanted to follow up on a few topics that were mentioned here on the forums:
As far as we know someone got access to either one of our IPs, or to one of our supplier’s systems and started randomly authorizing transactions on behalf of many of our customers.
There is no indication about any card data being leaked as we do not store identifiable information for debit or credit cards. The format of debit cards that we save on our systems looks a little bit like the following:
There is nothing connecting this information to a specific person or a specific card. In fact, the ids are completely useless if not used together with our IP, username and password to actually authorize payments on it.
The payments that have been made were refunded and everyone who contacted us got proof of refund PDFs. Some banks take a couple of days to process refunds, so if you were not issued one already, please ping us at email@example.com and we will send you the proof so you can follow up with your bank.
No. There is no indication that any data was stolen that would render this breach notifiable.
Our systems were deliberately put into a malfunctioning state to randomly charge users’ cards.
Our top priority was to prevent further bad things from happening. Just as much as answering all support requests, refunding the transactions etc. I appreciate it must be difficult to be in the dark for so long. But until yesterday all of our employees were 24/7 at work preventing even worse things from happening and giving people their money back.
We will try to update you on the progress daily from Monday onwards. I will also stay available for any further questions. I hope those insights will help you assess the situation yourself and understand what we are working on.
We turned off our systems for the time being as we are working on our infrastructure and core security. This will go on for at least another week as we want to make sure everything is done from the ground up with security in mind.
Mid-term we will hire a dedicated IT-security DevOp to help us keep our infrastructure secure while also helping us scale.
For the time being, we drastically reduce our attack surfaces by switching from Kubernetes to DigitalOcean App Platform, moving our databases to the same private subnet and disabling public IPs, whitelisting all communication between our systems and last but not least creating Firewalls for each and every service we deploy that prevents access to unmanaged ports.
I certainly believe that even though this attack was super painful to deal with, it pushed us in the right direction from a security standpoint. This will only make us better in the future.
Probably in 1-2 weeks.
Yes, please contact our support at firstname.lastname@example.org
There is no indication that any card data was compromised. Our acquirer’s platform is PCI compliant and there have been no published breaches of their servers recently. We consider it safe to keep your cards and not re-issue them. Though this is up to you of course and extra security never hurt anyone.
Data breaches happen even to the best. We really worried that this one might be really hard to swallow for a lot of people. Fortunately, we got a lot of great feedback for being so fast at responding and refunding transactions. If we saw anything, it’s that a lot of people actually started to trust us more as we handled this situation with as much professionalism as possible. We had a lot of great advocates defend us on our Telegram Group (without us asking for it).
While I do not want to say there is anything good to this breach in terms of publicity, and there were obviously a lot of angry users as well, I do think that handling bad situations well is by far preferable to not knowing how bad situations will be handled.
Please contact us at email@example.com
This is due to some banks applying FX fees for refunds (don’t even ask). We cannot refund more than the original amount but we will happily either 1) refund your VitraCard physical card shipment of 10£ or offer you a share code so you can order it for free if you haven’t already or 2) wire you the outstanding amount.
In both cases, please contact firstname.lastname@example.org and let us know how much exactly your bank charged you.
To wrap it up: I remain at your disposal. Please ask any questions that are not sensitive here in this thread to keep it organized. If anyone asks questions in other threads, please refer them to this one.
I hope you have a great weekend ahead of you!