Chugger pump hacked user data

Williams 728
Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum

Help Support Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Status
Not open for further replies.
R

rustybeer

Member
Joined
Oct 29, 2011
Messages
17
Reaction score
3
Location
stillwater
Have just informed Chugger pumps that there data has been hacked and user email addresses and passwords have been posted on a facebook site.
If you have placed a order with chugger pumps in the last year and a half and used the same password for other sites you might want to change them.
if you do a google search on your e-mail address you should come up with a link like this.
(Anonymous - الجزء الثالث : ++++++++++++ Data Found - Facebook)

Tothe search for your email address "[email protected]" don't forget to put the quotation marks on both side of the email address
 
Chuggerpumps.com was hit by a security breach. The company sent an email to its customers informing them that their user names, email addresses, passwords “may have been accessed by unauthorized individuals.” If you did not receive the email you should see it shortly.

Chugger Pump stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don’t believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.

As a precaution, Chuggerpumps.com has deleted all its customers usernames and passwords. If you use your Chuggerpumps.com password elsewhere, make sure to change it there as well.

We apologize for this inconvenience. This happens to the best of us....Large and small companies. Thank you for all your support and the success of Chugger Pumps!
 
Why is this in electric brewing and not somewhere with higher traffic? There are alot of names on that list...

I haven't gotten an email from Chugger and these people posted the passwords on Sept 5th.
 
Coff said:
Why is this in electric brewing and not somewhere with higher traffic? There are alot of names on that list...

I haven't gotten an email from Chugger and these people posted the passwords on Sept 5th.
Click to expand...

I second this

I also advise everybody to report the post on facebook to try and get them to do something...even though the scumbag will still have our informaiton
 
Come on. Ugh...Chugger, you need to post this somewhere more visible on this site, rather then piggy back on this thread which is buried. Also, it seems pretty crappy that this thread was time stamped BEFORE my email was sent out. How does that happen?

FFS.

https://www.facebook.com/AnoNymousdzhack/posts/429636430487337

UGGHGHGHGHGHGHGH!!!!!!!!

Edit: I posted that link so those of you who are now unsure which password/username combo has been breached (since Chugger deleted them) can find it on this document. This most certainly does NOT happen to the "best of (them)". It happens to companies that don't take your security seriously. Mods...I kindly request that you move this thread to a more visible location.
 
As someone who's on that list, I agree this needs to be in a more visible place. People need to know which email/password combinations have been breached. Maybe post a list of email addresses and partially hidden passwords since the Facebook page will hopefully get taken down.
 
I first found out about it when Chugger posted it on Facebook. It looks to me the OP is the one that brought this to their attention. I did get an email a couple hours after I found out about it as well.
 
Coff said:
Why is this in electric brewing and not somewhere with higher traffic?
Click to expand...

First Midwest, now Chugger.

Mods, can we get a "Hacked Vendors" forum created?

Joking... Kind of...
 
If you are on facebook report the post so they can remove it and hopefully the user.
 
jbaysurfer said:
This most certainly does NOT happen to the "best of (them)". It happens to companies that don't take your security seriously.
Click to expand...

Do a google search for customer data hacked.

Massive companies get hacked all the time. No one is impervious to hacking. NASA was hacked by a 15 year old.
 
So what's Chugger going to do to prevent it from happening again and to safegaurd customer information?
 
So this sucks. I'm on there. And the date of the post almost directly corresponds to the date/time when my credit card numbers were stolen and used to purchase hundreds of dollars of online gaming credit.

Be careful out there guys
 
Everybody please report the post

screenshot_89.jpg
 
Randy_Bugger said:
Do a google search for customer data hacked.

Massive companies get hacked all the time. No one is impervious to hacking. NASA was hacked by a 15 year old.
Click to expand...

I stand by my post. It's amatuer hour. I spend about 60k per year online for work, this is the first time an e-tail vendor I've worked with that has managed to get my information posted on facebook.I've worked with private information of clients for years. I've never once exposed financial data of ANY of my clients let alone every single one of them. Google it. Ugh. Google how to keep your data safe, there's millions of companies every year that manage to do it.

If your name isn't on the list, please refrain from engaging me on this subject.


I'm spittin' mad about this. My original order got screwed up and the company owner was borderline belligerent. I suppose that's for another post...that I never made btw...because I didn't want to make his crap PUBLIC!

And while I'm at it, why didn't the vendor instantly ask a mod to move this thread to a more visible space? Why didn't the vendor make his OWN visible thread about this? Why is the vendor only the SECOND post on this thread, and why did my email have a time stamp AFTER this thread was started? Amatuer hour. Infuriating.
 
241 said:
So this sucks. I'm on there. And the date of the post almost directly corresponds to the date/time when my credit card numbers were stolen and used to purchase hundreds of dollars of online gaming credit.

Be careful out there guys
Click to expand...
So Chugger aparently gets the usernames/passwrds hacked, and you are claiming that they are responsible for fraudulant charges on you CC? Please tell me you forgot the smily and you joking

jbaysurfer said:
I stand by my post. It's amatuer hour. I spend about 60k per year online for work, this is the first time an e-tail vendor I've worked with that has managed to get my information posted on facebook.I've worked with private information of clients for years. I've never once exposed financial data of ANY of my clients let alone every single one of them. Google it. Ugh. Google how to keep your data safe, there's millions of companies every year that manage to do it.

If your name isn't on the list, please refrain from engaging me on this subject.

I'm spittin' mad about this. My original order got screwed up and the company owner was borderline belligerent. I suppose that's for another post...that I never made btw...because I didn't want to make his crap PUBLIC!

And while I'm at it, why didn't the vendor instantly ask a mod to move this thread to a more visible space? Why didn't the vendor make his OWN visible thread about this? Why is the vendor only the SECOND post on this thread, and why did my email have a time stamp AFTER this thread was started? Amatuer hour. Infuriating.
Click to expand...

First my name isn't on the list but I don't see why that has anything with engaging with you in this conversation - The OP said that he had just informed Chugger of the issue (and I am guessing by email) so I would expect some delay between notification and action/confirmation.
I do agree that They should have started a new thread in a visable area to get the word out quicker. The big issue is people that use the same password for everthing - including the email they used to sign up at chugger.
 
mattd2 said:
So Chugger aparently gets the usernames/passwrds hacked, and you are claiming that they are responsible for fraudulant charges on you CC? Please tell me you forgot the smily and you joking



First my name isn't on the list but I don't see why that has anything with engaging with you in this conversation - The OP said that he had just informed Chugger of the issue (and I am guessing by email) so I would expect some delay between notification and action/confirmation.
I do agree that They should have started a new thread in a visable area to get the word out quicker. The big issue is people that use the same password for everthing - including the email they used to sign up at chugger.
Click to expand...

The big issue is people's information on facebook all day. That's why you need to be on the list if you want me to take you seriously. Otherwise you're either shilling for the company or trolling for an argument afaic.
 
jbaysurfer said:
Oh didn't you read? They deleted it! All fixed! Thanks for understanding! :smack:
Click to expand...

I agree that they need to look at what they need to do to not be hit again - not just dealing with the fallout from this case.
The response from chugger seems to me to be more to cover off the issues that have just been experienced by midwest - CC fraud. This is more of an annoyance to Chuggers customers because, although you get told almost daily that you shouldn't, most people use the same password for everything. Get you email and password from some site - 80% chance that you now have access to that persons emails, oh and probably their paypal account, etc.
I think this is a bigger issue overall when comparing the Midwest CC hack and Chuggers user info hack. Chugger really should be very vocal and quick to responed.
 
I didn't see my name or password on the list, but the list starts at H, Where is A-H? I did get an email saying they lost my crap. I can't remember what password I used for them, I'd like to know what they know,,,, you know?
 
mattd2 said:
So Chugger aparently gets the usernames/passwrds hacked, and you are claiming that they are responsible for fraudulant charges on you CC? Please tell me you forgot the smily and you joking
Click to expand...

Afraid I'm not joking.

All I've been doing this evening is changing passwords. I'm guessing, if a hacker didn't get my credit card info from chugger, they got it through accessing another account with the same login/password. Either way, not good.
 
I bought a chugger pump in the last year, and I've recently had my CC misused :/ WTH.. It ain't the 90's.
 
It went alphabetical by password. I also sent Facebook an email and shortly got this response.

You reported Anonymous's post for harassment.

Status This post was removed
Details We reviewed the post you reported for harassment. Since it violated our Community Standards, we removed it. Thanks for your report. We let Anonymous know that their post has been removed, but not who reported it. Facebook never discloses who submits a report.
 
jbaysurfer said:
I stand by my post. It's amatuer hour. I spend about 60k per year online for work, this is the first time an e-tail vendor I've worked with that has managed to get my information posted on facebook.I've worked with private information of clients for years. I've never once exposed financial data of ANY of my clients let alone every single one of them. Google it. Ugh. Google how to keep your data safe, there's millions of companies every year that manage to do it.

If your name isn't on the list, please refrain from engaging me on this subject.


I'm spittin' mad about this. My original order got screwed up and the company owner was borderline belligerent. I suppose that's for another post...that I never made btw...because I didn't want to make his crap PUBLIC!

And while I'm at it, why didn't the vendor instantly ask a mod to move this thread to a more visible space? Why didn't the make his OWN visible thread about this? Why is the vendor only the SECOND post on this thread, and why did my email have a time stamp AFTER this thread was started? Amatuer hour. Infuriating.
Click to expand...

Honestly if you were half as good as you claim there would be no issue. Because you would have used a password generated for this specific site only and the password posted means nothing to the rest of the world. Nothing to see here move along. Maybe those that are using the same password on every site should take this as a wake up call.

As for Chugger not posted on HBT today... I consider that a good thing. They are working on the issue. They had taken their entire site down for quite some time yesterday (I assume closing holes). This should be a wake up call to them too. You have to remember this is a homebrewing forum. Probably not their #1 priority to be posting in here. I'm sure they contacted Facebook to get the post removed just like everyone else did in this thread. Facebook is very slow as removing these things. It's been removed so deep breaths.
 
heh. Just went to their website. There is a note on there and they removed all the links to login etc. They are no longer going to do direct sales on their site. You have to buy from their vendors.

Dear Chugger Pumps Customers,
We would like to take this time and thank our customers for supporting Chugger Pumps. We have grown such a large distribution network that we will no longer be selling on our website. The website will be strictly for information only in which we will update the site with new material.
Contact your local Chugger Pump Distributor today!
Click to expand...
 
The issue is that sometimes people will use the same password as their email, not thinking about and in a rush, expecting to change it. It happens and it's not completely their fault. Yes, best practice is to have separate passwords for every single website you visit. In practice that's almost impossible.

Fortunately for me I use a separate email address and different password for all my online banking. Whomever it was also emailed me saying that they "hacked" me (which I'm not sure finding a facebook post with my email address and password is a "hack" or just plain fortune) and that I should add him on facebook. I immediately setup two factor on my Gmail and changed my password to something else.

Hopefully during the time before he let me know that he "hacked" my account that he didn't find any usable information within my account to use at his disposal and my demise.

This is the email I received

"[email protected] pass: United States

plz change your pass and give a strong one...

my email id and facebook id: [email protected] if you like to add me"

According to the email header the originating IP address is out of Scranton, PA. But I believe the guy lives in Bangledesh (based on his email address).

"Received: from [184.22.182.10] by web121104.mail.ne1.yahoo.com via HTTP; Tue, 17 Sep 2013 13:46:00 PDT
X-Rocket-MIMEInfo: 002.001,c3RhbWFuZHN0ZXJAZ21haWwuY29tIHBhc3M6IMKgwqAgQ2hlcmlrZWUxMjAyIMKgwqDCoCBVbml0ZWQgU3RhdGVzwqAKCnBseiBjaGFuZ2UgeW91ciBwYXNzIGFuZCBnaXZlIGEgc3Ryb25nIG9uZS4uLgoKCm15IGVtYWlsIGlkwqDCoMKgIGFuZCBmYWNlYm9vayBpZDogwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIGhhc3Nhbl9heW9uQHlhaG9vLmNvbcKgIGlmIHlvdSBsaWtlIHRvIGFkZCBtZQoBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.157.561
Message-ID: <[email protected]>
Date: Tue, 17 Sep 2013 13:46:00 -0700 (PDT)
From: Ayon Hassan <[email protected]>"

And the whole idea that "Facebook took it down so deep breaths" is moot and everyone should realize that once it's on the internet it's hard to remove it completely, if at all...

http://webcache.googleusercontent.c...37+&cd=5&hl=en&ct=clnk&gl=us&client=firefox-a
 
Yes, it is unfortunate that the website was hacked but seriously if your using the same password as your banking password for a shopping cart website it's really the users that are at fault. Come on everyone use some common sense! The last thing Chugger Pumps should do is re-post the list anywhere! Why would you want your information more publicized. Plus, the list has been removed from Facebook. This has happened to 1000s of companies large and small it's how hackers work! Change your passwords for everything you do every 6 months and make them complicated not simple! If you have a real big problem with it call Chugger they have always taken care of their customers

The issue has been taken care of. Change your password and move on!
 
There are a million programs out there that do this same thing... but maybe take a look at KeePass. It will let you generate a strong password for each site individually and store them in a database. They have a version for your phone as well. You can create a key file to open the database as well as a strong (rememberable) password for it. Then every site you use has a strong password that is distinct to that site.
 
mors said:
Honestly if you were half as good as you claim there would be no issue.

As for Chugger not posted on HBT today... I consider that a good thing. They are working on the issue.
Click to expand...

Some solution they came up with. No clue how to fix it, so we'll just shut down website sales. How can I trust them when they say my CC information wasn't accessed when they apparently don't even know how the incursion happened in the first place?

Regarding your first sentence...it makes no sense. The fact they didn't know about this until OP brought it to their attention and chose to frantically shut everything down tells me all I need to know. I'm not surprised. Since I actually DID business with this company and the owner showed me his personal customer service style at that time. Unfortunately, pandora's out of her box.

Plain and simple, this business had a fiduciary duty to protect customer privacy, failed miserably, and still doesn't know how it happened, or even what happened. If they did there would be no need whatsoever for the panic move of deleting everything and shutting down web sales.

PS, all who think it's no issue once you change your passwords on all other sites either aren't on the list, or don't realize their email address (which most use on a recurring basis for logins) is now being matched up with password cracking algorithms all over the world. It is necessary to not only change one's password that was compromised, but every single iteration of that password that might have ever been used on every site that it's been used on, and continue changing that password going forward. This was an ounce of prevention or a metric ton of cure.
 
mors said:
There are a million programs out there that do this same thing... but maybe take a look at KeePass. It will let you generate a strong password for each site individually and store them in a database. They have a version for your phone as well. You can create a key file to open the database as well as a strong (rememberable) password for it. Then every site you use has a strong password that is distinct to that site.
Click to expand...

That's great until someone get's your Keypass password (and I think you mean memorable ;-) and by millions I think you mean a handful; Lastpass, Keypass, etc.)

You have to remember that it's not the users security context that was a vulnerability that lead to this data breach. It was a vulnerability on the side of the Chugger site servers and/or administration. I can't speculate in regards to what it was, but whatever the case, they were able to parse the user database that had clear text passwords. This would have stopped this vulnerability issue at the door. So that's a HUGE no-no in any online store/login. Someone clearly did not do their due diligence.

Blaming a user because they used a same password on a site as their email password is bad form. Not everyone is as enlightened as you are in regards to security, and as I stated before, sometimes you're rushing and just forget to do so or don't have access to it ("argghh... march madness... must... get... before.... all out!"). Plus changing your password every six months is mitigating but isn't really a great choice either.

I understand that breaches happen and in our current environment their bound to at an increasing degree. However, a company needs to do everything, to a reasonable degree, to protect all customer information. They also need to do everything they can to resolve the issue to the customers satisfaction (as defined by the law and regulations).

And just because they removed the link for the account login doesn't mean the page is gone for good. In fact I just reset my password and logged into my account (as shown below). And my customer data is still there (as well as my order information, except for my cc information).

2013-09-18 10_05_41-Chugger Pumps.jpg


2013-09-18 10_07_46-Chugger Pumps.jpg


2013-09-18 10_10_50-Chugger Pumps.jpg
 
Noella said:
Yes, it is unfortunate that the website was hacked but seriously if your using the same password as your banking password for a shopping cart website it's really the users that are at fault. Come on everyone use some common sense! The last thing Chugger Pumps should do is re-post the list anywhere! Why would you want your information more publicized. Plus, the list has been removed from Facebook. This has happened to 1000s of companies large and small it's how hackers work! Change your passwords for everything you do every 6 months and make them complicated not simple! If you have a real big problem with it call Chugger they have always taken care of their customers

The issue has been taken care of. Change your password and move on!
Click to expand...


First post. Classic shill. Only a fool doesn't see how amateurish this company is handling this.
 
I still like chugger pumps, I like their SS head, their March madness sales, the good customer service. So I had to change my password to my health club and amazon, big freeken wop. If you use the same passwords for your banking, you're asking for trouble. Let me guess it was 1234? I checked all my cards and accounts and do not see any charges I did not make, I know this because I'm poor and watch every dime. Every brew day I say a little prayer thanking god for my pumps and how I don't have to lift anything any more. Do you here me Chugger pumps, LOTS OF US STILL LIKE YOU! But seriously, you guys have to hire a super computer nerd to lock-down customer info.
 
stamandster said:
That's great until someone get's your Keypass password (and I think you mean memorable ;-) and by millions I think you mean a handful; Lastpass, Keypass, etc.)

You have to remember that it's not the users security context that was a vulnerability that lead to this data breach. It was a vulnerability on the side of the Chugger site servers and/or administration. I can't speculate in regards to what it was, but whatever the case, they were able to parse the user database that had clear text passwords. This would have stopped this vulnerability issue at the door. So that's a HUGE no-no in any online store/login. Someone clearly did not do their due diligence.

Blaming a user because they used a same password on a site as their email password is bad form. Not everyone is as enlightened as you are in regards to security, and as I stated before, sometimes you're rushing and just forget to do so or don't have access to it ("argghh... march madness... must... get... before.... all out!").

I understand that breaches happen and in our current environment their bound to at an increasing degree. However, a company needs to do everything, to a reasonable degree, to protect all customer information. They also need to do everything they can to resolve the issue to the customers satisfaction (as defined by the law and regulations).

And just because they removed the link for the account login doesn't mean the page is gone for good. In fact I just reset my password and logged into my account (as shown below). And my customer data is still there (as well as my order information, except for my cc information).
Click to expand...

Note they would have to get access to your KeyPass database. Then they would have to crack your password. They would also need to get access to your key file as well. My point being it's very difficult (especially if you keep the key file in a secure location).

as for the site and still being able to access your account... yes web development doesn't seem to be their forte lol.
 
So I just checked the facebook page, it is down. I also logged onto chugger pumps site , and found that I can still access my account. So I went in and changed all my info I suggest everyone else do the same.

chugger.jpg
 
Update I just talked to Mike at chugger pumps they were unaware the log on link was still working. He told me that they are working on removing all access point to the accounts now. It still doesn&#8217;t make it right when you stated that you deleted the user email addresses and password yesterday , and just removed the log on link from the page. So let get this fixes ASAP and live and learn. If you use the same password on multiple sites learn from this , and be glad it isn&#8217;t as bad as the other sites that have been recently hacked.
 
Status
Not open for further replies.

Similar threads

pat_carnig
For Sale Electric Brew Supply 30A 2-element panel complete
Replies
1
Views
716
pat_carnig
pat_carnig
DaveCS
Looking at buying UniBrau (BrauSupply) - Pump Hook Up Question for users
Replies
5
Views
941
Homebrewer20
Homebrewer20
h22lude
My BruControl UniFlex review
Replies
3
Views
2K
h22lude
h22lude
M
Extension Cord for Chugger Pumps
Replies
3
Views
1K
Matt O
M
jpakstis
Massachusetts FS: Chugger Pump Center Inlet/Milwaukee Refractometer/Johnson A419
Replies
9
Views
1K
jpakstis
jpakstis

Latest posts

Back
Top