The beginning of my journey as a FabFitFun customer was less than ideal. A bit rocky.
However, it was quickly being turned around. Since purchasing an annual subscription for my wife, she has received 2 boxes. The first box, I had to make an educated guess on the selection of the items. The second box, we actually reviewed the items when it was time, and she selected exactly what she wanted. Both boxes seemed to be enjoyed by her, and with the exception of the onboarding, I was satisfied with my purchase thus far.
On September 15th, I received an email from FabFitFun. Their ‘technical team’ had discovered some malicious code on their website and there was a chance that personal information including credit card information had been compromised. Great. The email highlighted that they felt only a small subset of their new customers were affected but they were notifying ALL new customers during the supposed time frame out of precaution. I had received similar emails like this through the years and it was your standard CYA email.
Monday night, I was laying in bed when I received an American Express charge notification for BestBuy for around $500. At the same exact time I started to receive hundreds of emails. All of these emails were ‘welcome to our newsletter’ just opted in like emails. It was very strange. I jumped into my BestBuy account (different email address associated with it) to just make sure this was not a delayed charge or something I might have forgotten about. Nope, nothing purchased from BestBuy since March. I called American Express and they quickly marked the charge as fraud, reissued a new card for my account and let me know that they would overnight it to me. Now that the threat of further charges was no longer a concern, I took a look at my inbox. At the time, I was not sure if it was related to the fraud, but I quickly realized it was.
My inbox was wrecked. Someone had unleashed some sort of bot signing me up for hundreds of newsletters and email lists. Why? Was this someone I knew playing a joke on me? Nope. It was the same person or group that made the BestBuy fraudulent purchase.
Buried in the hundreds of emails (I went through each one unsubscribing) was an actual BestBuy order confirmation email. Here is the kicker, this order was addressed to my wife. Obviously the address of where it was being shipped was not an address we are familiar with. The fraudster was trying to make this look like a real order. This was definitely a more advanced fraud scheme than I had previously seen.
So how do I know that the FabFitFun data breach was the culprit and my card was not compromised somewhere else? Quite simple. The combination of the credit card I used, the email address I used, and the contact information (not mine, my wife’s) was a trio of variables I had never previously used together.
I rarely use the email address I did with FabFitFun for purchases, it’s such a rarity. It’s one of my personal email addresses that is truly SPAM free, and I like to keep that way which is why I rarely ever give it as the email when I make a purchase.
The card I used in combination with my wife’s name. This is never combined. In fact, the FabFitFun purchase might be the only time in the last couple of years where I used that card and put someone else’s name as the contact info. Again, a rarity.
Thanks FabFitFun! The gift that keeps on gifting!
Side note, I sent the address where the BestBuy order was being sent to the local police for that area. Figured a potential drop location for fraudulent purchases might be worth looking into.
John Roman is the Chief Marketing Officer of BattlBox and Managing Partner of Carnivore Club. While those are his flagship brands, John is involved in a over a dozen other ecommerce brands from a equity/partner/advisor capacity.