(Solved, known breach) Were you hacked or did you sell my data on purpose?

I just got an email from some US company (I won’t promote their name here in case it was on purpose…) with a phone number that doesn’t even include a country code (seemingly not targeted at Dutch people, so sounds like you were hacked and this is just spraying emails). Their address is the same as “Florida Profit Corporation”, so that adds to the spam email theory, though they’re also a registered seller on Amazon and other places (not so common for random spammers).

This email was directed to an email address I used only for jimmy joy in 2019. It was sent by o78.email.wishpond.net (IP range owned by sendgrid, which is less common for random spammers) today at 01:35:19 CEST.

Was this your doing? Was my data shared with third parties for the purpose of direct marketing somewhere between january 1st 2019 and today?

Came here for this exact reason. I had two unique emails, one from when the company was called ■■■■■■■ and other for the JimmyJoy era. Both emails started getting spam.

I don’t see a good option here. Either the data was sold on purpose, or the customer DB has leaked with even more information. Gotta check if my credit card information was stored here. At least I have unique passwords.

I should add that people who don’t have unique emails here can recognize this particular case from the subject: “Enter the code CODE SALE10 before checkout and get 10% off your purchase!” (at least I got identical emails to both of my addresses).

A friend and another customer of JimmyJoy commented that he had gotten a breach notification in May. I guess mine went to spam folder…

The gist was:

  • “our email service provider, Klaviyo, and subscription processor, Recharge, were exposed to an unauthorized entry.”
  • “no financial client information was exposed”
  • “We have not found any indication that the data was actually retrieved.” (sure seems like this did happen)
  • “First Name, Last Name, Email address, Geographic location, Purchase history Jimmy Joy.” were leaked, so no passwords or credit card information
  • “We informed the Data Protection Authority about this potential breach”
2 Likes

I can also confirm getting a notice about a data breach on 2021-05-11, I didn’t notice between all the other newsletters (or forgot it) until receiving the first spam mail today.

Hello All!

As already was mentioned above (thank you!), this data breach happened back in May and we have informed our customers of it then through the following e-mail:

Our sincere apologies to the ones for which this message ended up in the spam folder and of course for the data breach itself.

:green_heart:

1 Like

Our sincere apologies to the ones for which this message ended up in the spam folder

I don’t have a spam folder: everything goes to inbox, because addresses where I receive spam are blocked anyway. Since I received this spam last night, this jimmyjoy2019 address was not blocked, so the breach notification email must not have been sent to me. I also still have mail server logs from that time, and grep -i jimmy ./logs/mail/2021-05-*.log returns nothing at all. (To check the search method, for 2021-06-*.log it returns emails related to an order from that month, as expected.)

I’m happy to learn this was not on purpose. It would not be the first time that my data was sold, and the contents were on topic for healthy shakes so I really wasn’t sure. Thanks for the response Daniel!

It might be worth checking, though, whether the notification email was sent to the correct group, since apparently not everyone received it.

@Luc Let’s indeed follow up on that for you. If you could get in touch with us through the Live Chat or Love@jimmyjoy.com with your e-mail address, we will gladly have it checked on our end.

Rest assured, we will never knowingly compromise the details of our beloved customers and risk losing the support of our great community.

:green_heart:

I also don’t have a spam filter, but use greylisting. The message came through, because the spammers seem to use legitimate infrastructure to send their emails. The “Reply-To” is “orders@produzor.com”. I really wonder how they would justify this kind of spam if they are a real company. If you have gmail, click on “report spam” and it will lower the reputation of the sender for Google. This way, senders with shitty opt-in strategies get punished and there deliverability to Google will suffer.

JJ folks, you might want to shoot them a message and ask where they purchase their leads.

I received the same junk mail today. Luckily I used a disposable address when signing up, so I can now just block it.

Well it’s not so much that I care to receive that email still, it’s already screenshotted above, but rather that there might be a lot of other people who haven’t gotten it and are not yet notified of their data being breached. The email address (now blocked) was jimmyjoy2019@lucgommans.nl, in case that helps narrow down the group that was missed.

@Luc

We checked on our end and found that you unsubscribed for all e-mails from us with your account. We can only e-mail the customers of which we have the e-mail on file in our database.

We are still investigating this and are seeing if there’s a GDPR-compliant way to inform every customer instead of only the ones in our database.

2 Likes

@DanielJJ

My Jimmy Joy-specific email address just started receiving spam as well. Like some others, I have personally not received any notification of a data breach. Additionally I could not find any public communication describing such breach, other than this thread started by a customer three months after the fact.

According to the screenshot posted in this thread, data such as “geographic location” and “purchase history” was exposed. As these descriptions are unnecessarily vague, I’d like some clarification. Does any of the potentially exposed data include the physical address or phone number used for delivery?

Could you please contact management at joey@jimmyjoy.com? Then we’ll be able to tell you exactly what relates to you because it all depends on what each consumer has filled out and what data is accessible.

GDRP applies to marketing emails. European law requires that you inform any and all customers who are have had personal information stolen in a data breach. Your line of thinking would be like if Honda or VW wasn’t allowed to send recall notices to customers who were found to have faulty airbags.

This was the law before GDRP, but it’s been reiterated in the GDRP. You have to inform the government and also the subject of the data breach unless informing the customers is not reasonably possible or the data that was stolen was encrypted or otherwise not actually usable as personal information. Failing to inform customers who were affected by a data breach puts you out of compliance with the GDRP. In this case where the data stolen was email addresses and/or phone numbers and you still have access to the survey data that was stolen, informing those affected should be pretty straight forward. Just make sure you don’t start sending marketing emails to those customers who were previously opted out…

Hey Bob, you are absolutely right, and that’s why we decided to move forward and emailed everyone we can about the issue.

If you did not receive an email then this means we can not access your email due to either the email being suppressed from transactional and promotional emails, and therefore not possible to email, or a data deletion request in the past from the customer side.

Hey all, just wanted to give a small update on this to keep you posted. We had calls with the involved parties and were able to narrow down where the breach was.

Jimmy Joy intended to inform consumers of the possible scope of the data breach at the earliest possibility, without awaiting further analysis. However, after further analysis we were able to narrow down the data breach more specifically and inform you that ‘Recharge’ was not subject to the breach.

These kinds of insights can help us to better prevent breaches from happening.