Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.
Mountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.
Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.
Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.
The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.