December 18, 2015

Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.

gyftMountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.

Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.

Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.

The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.

Gyft was acquired in July 2014 by payment giant First Data, a company that has traditionally specialized in processing credit cards and managing ATMs.

The attack on Gyft is likely to be of particular interest to enthusiasts of the virtual currency Bitcoin. Founded in 2012, Gyft has long been a favorite of bitcoin account holders because it’s consistently been one of the easiest ways to exchange bitcoins for digital gift cards that can be used at everyday businesses.

Cyber crooks very often recycle stolen credentials by trying the username/email address and password pairs at dozens of other retailers online, knowing that a good percentage of consumers will reuse the same credentials at multiple sites. If you re-used your Gyft username and password at other sites (tsk-tsk!) it’s time to change those passwords.

Companies can beef up customer account security by requiring users to sign up for two-step or multi-factor authentication, a process wherein the customer must provide a special one-time code sent to a mobile device in addition to a username and password. Enabling two-step authentication helps blunt the threat from stolen customer credentials because the thieves also would need to have access to the user’s mobile device in order to hijack the account.

A cursory examination of Gyft’s user platform suggests the company does not yet offer two-step authentication for its online site, nor does it require users to supply a mobile number. However, at a Bitcoin conference in Africa this year, Gyft founder Vinny Lingham reportedly told the audience the company was considering adding the security feature.

9 thoughts on “Password Thieves Target E-Giftcard Firm Gyft

  1. Robert Scroggins

    Re: two factor identification: what to do with those of us who do not use a smartphone? They could email us, I guess, but I don’t see anyone doing that, and it wouldn’t be very fast.


    1. Steve

      Robert, I share your concern in general, but unless I’m missing something here, it would not be relevant in this case. According to the article, “Gyft lets customers buy and use gift cards entirely from their mobile devices”, so someone without a smartphone likely would not be using the service.

  2. Alex

    Doesn’t surprise me, Gyft is one of those sites cyber fraudsters love. Main reason being they accept Paypal. There security isn’t what you’d expect it to be either. I think for the first $150 or so they don’t even ask you to verify anything.
    People are going after Digital Gift Cards more than ever now! It’s actually been stepped up a lot recently. Main reason being they can sell them instantly and easily for BTC.

  3. jim

    The comment about smartphones. I have a tablet, the tablet is both NFC and Bluetooth comparable. My phone only has to be synced to operate on Bluetooth. I do transfer pictures from my phone (nonsmartphone) to my tablet for storage. The big plus is one week phone life. No butt dialing, flip-phone, neat, eh!. Plus a small data plan, Only bad thing, no updates because its so old.

  4. Gomdoi

    Ok let’s start first where this cyber crime and methods come from ?? Isn’t that interesting ? In forums u can read tutorials but who wrote them ?

    1. Sam

      Careful with that, Gomdoi. If you’re going where I think you’re going then you’re on a slippery slope there.

      Criminalizing security researchers wouldn’t be far behind and that is *always* a bad idea.

      I’m sure I don’t need to write this but just in case: security through obscurity is no security at all.

Comments are closed.