Breaking: GunMag Warehouse Data Breach

Byseyhanla

Reports are surfacing of a possible data breach at the magazine clearing house GunMag Warehouse. Reddit Users who purchased the 6 pack of Hexmags deal are reporting that they were receiving calls from their credit card fraud departments as well as seeing transactions anywhere from 28 cents all the way up to the thousands of dollars. With data breaches becoming more commonplace the theft of payment data wouldn’t be a stretch given the recent data breach at AIM as well as a multitude of brick and mortar retailers.

One of the users on Reddit stated that he used his debit card to place the order, then while out to dinner with his significant other learned that his account had been cleared out when his card was declined. Another user reports that he had 2 separate large dollar purchases declined by the fraud department. Since he canceled the card the payment information that he included with a Form 1 will not longer be accurate and is concerned that he might need to resubmit.

TFB reached out to GunsMag Warehouse and they made the following statement …

Dear Gunmag Warehouse Customers,

We were made aware of a possible security breach last week and immediately hired the cyber security experts at Securi to conduct an investigation. They isolated and patched the offending vulnerability within our e-commerce platform. This exploit appears to have arisen after a recent third-party module update made on June 6th. While our database was never compromised, orders placed from June 6th – July 19th may have been affected.

To ensure the security of our checkout going forward, Securi conducted a new audit this morning and verified our site as secure. We consider the safety of our customer’s information to be of the utmost importance, and will continue to do everything possible to keep our checkout secure.

Furthermore, in an effort to keep your data secure we do not – nor have we ever stored any CC info on our servers. To ensure another event like this does not reoccur, Gunmag Warehouse will be implementing additional security protocols to ensure our site has redundant security points.

We apologize for the trouble this may have caused some of our customers. Please do not hesitate to call our support team if you have any further questions or concerns.

We appreciate your patience and understanding in this matter,

-Michael Lambka

President

1. There is no correlation between our recent hexmag promo and the security breach.

2. We did not respond sooner because we wanted to make sure we had all the details regarding the security breach. These Security breaches can be complex and thus take time to fully understand the depth of the issue. If we responded immediately without all the facts we would have been guessing.

3. Customer service is currently reaching out to customers known to be affected during these dates. We feel this is better than sending out a mass email as we will be able to answer any questions customers may have on a case by case basis.

4. Any information entered at checkout during these dates may have been compromised. This includes names, billing/shipping addresses and CC info. Passwords to accounts would only have been compromised if the account was created at checkout. Since the database was never compromised any past orders were not affected.

5. Our site is 100% secure and we will be rolling out additional security protocols over the next few weeks.

6. We have reached out to other payment processors in the past to offer more options. Unfortunately, most of them including Paypal are not 2a friendly.

7. Support can be reached over the phone or by email Monday-Friday 10am to 6pm. Our direct line 305-901-2223 and our email is support@gunmagwarehouse.com

Editor’s note: I really appreciate a company being upfront about this. Data breaches do happen. It’s what companies do after that really matters.



Patrick R

Patrick is a Senior Writer for The Firearm Blog and works in the shooting sports industry. He is an avid recreational shooter and a verified gun nerd. With a lifelong passion for shooting, he has a love for all types of firearms, especially handguns and the AR-15 platform. Patrick may be contacted at tfbpatrick@gmail.com.

The above post is my opinion and does not reflect the views of any company or organization.


Advertisement

  • KestrelBike

    oooooh, that’s near unforgiveable if true. Stuff like this is why I never use my debit card except for the ATM at my Credit Union’s branch, or reluctantly at ATMs that I hope someone didn’t put a skimmer in to. Never ever for online stuff.

    I’m woefully ignorant when it comes to the workings of e-commerce, but don’t most online retailers handle their payment systems with professional 3rd-parties? Or is payment information commonly held “locally” on the retailer’s servers? (especially if the customer chooses to “save payment info for future, fast transactions”?) If it turns out that gunmag warehouse was irresponsibly holding onto customer CC info against e-commerce commonsense/norms, then super-shame on them.

    • Patrick R. – Staff Writer

      The company confirmed a breach, the article was updated.

      • KestrelBike

        yeah, they say that they didn’t house CC info, then how did so many people get fraud on their CC’s? Something isn’t adding up.. and my gut reaction is to think the simplest reason is that gmw is not owning up to something on their end.

        • Mike Summers

          Most likely the hacked 3rd party module either tucked the card numbers away for later retrieval or sent them on as they were received. Much simpler than getting into GMW’s db.

    • Beerfarticus

      Yeah Debit cards are dangerous, your bank account can be drained in less than an hour if the pros have your information. And with debit cards, whether or not you get your money returned is purely up to the good will of your Bank or Credit Union – not a good position to be in. With credit cards your liability is more limited.

      Credit card companies should be generating random card numbers as a standard practice now, with all these data breaches.

      • KestrelBike

        I wonder if something like 2-factor identification could be possible w/ credit card transactions? Or, an ability to set a limit to where you’d need it for a transaction (say, anything about $40 or something). That way buying snacks at 7-11 isn’t a PITA, but getting gas or big online purchases would be a bit easier to catch if fraudulent.

        • Beerfarticus

          Two of my credit cards have an option to e-mail or call me if a purchase is over X number of dollars in a single purchase (I can specify when this is triggered), but this is just a notification, not a ‘Wait, do not process the transaction’.

          Security wise, the US credit card industry is still stuck in the early 1990s. They’re just now getting EMV (chip and pin) rolled out, which can reduce in-store fraud, but does nothing for telephone/internet purchases.

  • Anon

    This again? I swear, these things happen every other week.

    • Beerfarticus

      Yeah, Palmetto State Armory was hit earlier in the year as well.

      • notalima

        And AIM Surplus.

      • Palmetto State Armory

        At Palmetto State Armory, we take security issues seriously and work hard to make sure that all of our customer’s information is protected. We maintain our PCI compliance as certified by Trustwave, and regularly test for any possible vulnerabilities that could compromise customer information.

        We have not been notified of any breach by any of our secure partners, banks, or processing companies, nor have we detected any vulnerabilities in our systems, or have any evidence that our system has been compromised. As we have stated before in other threads on the subject, we do not store customer credit card information.

        In the event that a breach is identified by us, or our credit card processor, we would notify our customers.

  • John L.

    “It’s what companies do after that really matters.”

    You mean like having to find out here, rather than from them, that thus happened.

    It matters, all right. And I know my actions in response. I’m never purchasing from them again. Not for the breach, but for the lack of communication afterwards.

    • Beerfarticus

      ^–This. Posting a notification on your Twatter or Facebook doesn’t count. They need to have a large banner on their HOME PAGE notifying customers about this.

      The incident at GMW seems to have been brewing for days on Reddit without any response (and they DO maintain an account there, so that is telling).

      • Rick O’Shay

        Not just a banner on their home page… how often have you bought something from a site, and then don’t buy anything again until a year later? They should have emailed every customer who was potentially affected, their entire customer base if need be.

  • Joel Thompson

    My friend got his

  • Joel Thompson

    My friend got charged $900 not long after this. He didn’t realize it was because of Gunmagwarehouse purchase until this article… My Credit card information was affected as well. So far, no illicit charges on my account. Thanks TFB, I’m notifying my CC company.

  • Limonata

    Many credit card issuers allow you to use one time use CC numbers. If you must use a debit card, open one up at a different bank than your main account. ACH money into that account as you need it and do not have more than you need in that account. Credit Unions work well.

    Use Paypal when possible. Visa, mastercard and America Express all have means to secure your transaction.

    “Securi conducted a new audit this morning and verified our site as secure” — Yawn, zzzzzzzz

    It does not mean a thing. The defense of a website has to continuous and must be tested and check all the time either for network and infrastructure vulnerabilities or software issues. Open Source software despite what is often stated, is no more secure than commercial software. Unless Securi does their audit on a weekly or monthly basis a new or old hole will be opened up again at later date.
    This breach should never have happened.

    • Billy Jack

      Discover used to have that number generator service and phased it out last year or the year before. BofA does it with Apple Pay but I couldn’t find any other way to create them. I liked that a lot since it limited risk.
      PayPal just did a deal with Visa so you can pay or receive funds using PayPal at retailers in person. Not sure of launch but it should help put another barrier between your actual credit card data and thieves.

      • Limonata

        Both Citi and Chase allow you to create Virtual Credit Card Numbers. There are others as well. Simply search “Virtual Credit Card Number” or “One-time use credit card number”

        Even if you do not like Citi or Chase, you can sign up to get one of their cards, and use them exclusively for online shopping. Mine does not even go in my wallet.

        There is a browser plug-in named Abine Blur which once you sign up for their service will do the same for any CC you have.

        Visa also has Visa Checkout and MasterCard and American Express have something similar for websites that support those features where you never pass any info to the merchant.

        There are options available.

        • Billy Jack

          Very cool. Thanks for the info. I was thinking that it was being phased out for some reason.

  • John

    Buy a prepaid debit card and keep it filled for purchases like this. No reason to put your main accounts at risk.

    • SCW

      That’s what I do as well.

    • Holdfast_II

      No, get a spare credit card with a $500 or $1000 limit and use it for online purchases. With a debit card, you can still lose money – with a credit card you are playing with the bank’s money, and they can absorb the carry while disputes are resolved.

      • Chatterbot

        The problem is when you need to contest a charge on your prepaid card, or really do anything that requires customer service. Then you are SOL.

        • KestrelBike

          I don’t think he’s saying “prepaid” cc, just a spare, or separate one from the main account. So the spare is still from a reputable place that has good customer service, it just has a lower limit.

  • Kivaari

    Wells Fargo stopped several fraud attempts and did good routine inquiries on my cards. It saved me big bucks.

  • Sasquatch

    My debit card was hacked once. The hacker made a grave mistake. Never hack a poor man.

    • haha

      • Sasquatch

        Yep they tried to spend over $600 on Itunes and $250 some place else on the internet.

    • Anonymoose

      Some chav flew from London to Dubai on my debit card once. I got most of the money back, but not all.

      • Billy Jack

        Are you saying chav like to say a random slag or was it really a chav? Lol @ a chav wearing a veil in dubai in some harem.

        Not sure how long ago that happened to you but I always thought the EU and UK had better consumer protections than the US. I’d have thought they’d have covered you or minimum the airline would catch it.
        Here any credit card fraud is protected by the financial institutions as long as you report it within a certain time frame. Most of the banks I use have like a $50 initial hit that I have to absorb first.
        We just got chips in our credit cards that have been in Europe for years and they didn’t even implement all the features that make it safer.

        • Anonymoose

          I just assumed it was a chav because they flew out of London Heathrow. I guess it could have also been a Paki or a Nigerian. This was back in 2010, and I still don’t have a chip in my debit card.

          • Billy Jack

            Wow. I was hoping you were going to say that happened pre-2000. I think if that happened to me I’d be putting up new drywall. I can’t speak for others here but from my consumption of news in America I always had the idea that consumers in western Europe have it much better than us across the board. That completely sucks. Globe trotting scammers smh

  • Thanks for the heads up about this, it will surely be disseminated more widely than a notice on a company Facebook page.

    This is why I don’t by from Natchez Shooters Supplies anymore; last year they had a data breach– about which they never bothered to inform any potentially affected customers– and a month after I placed an order with them an organized criminal gang was buying $1400 worth of televisions and phone cards with my CC number burned onto a blank card.

    …The Austin Police Department Financial Crime Unit kicks ass, in case anyone was wondering.

  • john huscio

    Great, I just ordered a few mags from them……. no credit abnormalities though… got my mags too…

  • Jon S

    Ah, now I know how it happened. I was pointing the finger at another store. Nobody has contacted me contray to the article claims