Credit card info stolen from Strat's site

Head's up, not sure why the company isn't posting this on these forums or on the 365 game pages or even on the main page, but several people that belong to strat facebook groups are reporting that Strat has informed them of a hack in late January/early February that has lead to credit card info being stolen and used for fraudulent purchases:

https://t.e2ma.net/webview/zkbhjc/45f0c ... bc338a6bc0

If you bought something from Strat recently and used your credit card, check with your bank and see if there are any weird charges. People are reporting on facebook, large fraudulent purchases in the thousands of dollars on their cards as soon as a day after a purchase on Strat's site. Paypal purcahses do not seem to be affected.

I can confirm being one of the victims & of course not being notified by STRAT. After purchasing the ratings guide (in that time frame) both cards on file with them were compromised. Someone in Atlanta, GA was gorging at Chik Fil A & trying to make their mortgage payment on my B of A card.

RickP
mlbphan

Sorry to hear that Rick.

Still nothing on any of Strat's web pages, that is inexcusable to me. I'm not the only one that did not receive the email.

I received the email, and coincidentally just had to cancel my CC because of a $530 charge at Sam's Club Online just this past weekend. I had purchased the ratings guide in January, and never thought anything of it until I received their email. Now, I can't help but think it must be connected.

I bought teams in december and so far so good. Now got me worried. Why i hate putting things online.

I am one of the victims. Three purchases that weren't mine. Total was around $170.

1. Victoria's Secret (Yep!)

2. Cheesecake Factory (at least they have good taste in sweet stuff)

3. Overstock.com (I don't know)

Niners, THANK YOU for posting this! You probably saved me many more headaches. I need to check my bank balance more often.

$207 spent on e-bay. My bank has covered it. I like to think that they bought baseball stuff. Probably not though.

Niners, THANK YOU for posting this! You probably saved me many more headaches. I need to check my bank balance more often.

You are welcome.

I’m still flabbergasted Strat has not posted anything about it on any of their web pages. I get that they sent an email but clearly that didn’t reach the whole customer base. Totally irresponsible on their part IMHO.

Reposting this from another thread for visibility:

It looks like if you are on the marketing email list, you got notified.

Code: Select all

February 8th, 2021

To our loyal customers-

We are writing to let you know that we just learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  Upon learning this information, we immediately began an investigation and took steps to ensure the security of our website. 

When we complete our investigation, we will be back in touch with additional information, but wanted to send you this notice in the meantime so that you can immediately contact your credit card company and ensure that you are not impacted as well.

In addition, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account. 

We have also engaged a third party to investigate and we will update as we learn more.

Any pre-order previously placed will be sent upon commencement of shipping later this month.

Apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

A couple things on this, only because it's part of what I oversee in my work.

The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.

When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.

SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.

I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.

It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).

I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.

Rob