UK Gaf: Boomerang rentals (possibly) hacked.
- Thread starter Ade
- Start date
Boomerang offer a great service since they sorted themselves out but their PR is absolutely ridiculously shit. They are a complete shambles.
When LoveFilm went down and everyone switched to Boomerang they couldn't cope with the uplift in subscribers and their service was terrible for a short time, getting a game could take 3 weeks. Their FB and Twitter was full of ppl asking questions and they just completely ignored everyone. Didn't even make a statement until about 2 months into the issue and even then it was a shit one.
They really need to sort out their comms. It is letting the whole business down.
When LoveFilm went down and everyone switched to Boomerang they couldn't cope with the uplift in subscribers and their service was terrible for a short time, getting a game could take 3 weeks. Their FB and Twitter was full of ppl asking questions and they just completely ignored everyone. Didn't even make a statement until about 2 months into the issue and even then it was a shit one.
They really need to sort out their comms. It is letting the whole business down.
Geez...2014-2015 is the year of cyber attacks.
At this rate, Congress and the EU/UK will need to pass a stronger digital protection law and make PCI a law requirement instead of an industry standard.
And all the governments need to beef up their cyber counterattack department as well.
At this rate, Congress and the EU/UK will need to pass a stronger digital protection law and make PCI a law requirement instead of an industry standard.
And all the governments need to beef up their cyber counterattack department as well.
Scottish Sin
Member
Thanks. I'm glad I caught it before anything was taken out.
OverBlood 3
Banned
Well that's one mystery solved, I'd had money taken from my account too. Shit that they haven't even emailed people about it.
nibblemonkey
Neo Member
I've had nothing odd on my account although there isn't actually that much to spend there. Probably still cancel my card anyway, anyone know what the quickest was to cancel my account with boomerang is?
nibblemonkey
Neo Member
Boomerang have just posted a statement to Facebook
BrettHeazy
Member
Hadn't heard of boomerang rentals before.
Peaked my interests though, how's the service? Can you rent current gen titles on that £3.99 deal?
Read on other rental sites they don't offer current gen rentals 'till you're paying over £15.
Once all this fraudulent behaviour as tied over, would it be worth signing up?
Peaked my interests though, how's the service? Can you rent current gen titles on that £3.99 deal?
Read on other rental sites they don't offer current gen rentals 'till you're paying over £15.
Once all this fraudulent behaviour as tied over, would it be worth signing up?
nibblemonkey
Neo Member
You can't get PS4/Xbone on the £3.99 package, have to be on the Unlimited 1 at least which is £9.99
Clarkus Darkus
Member
I have had no issues with Boomerang up until now, If it is them of course that has been breached, I am a priority member who gets 2 new games at a time, I always get them on release day, And have saved alot of money by using them as a service as im the kind of gamer that buys games, Completes them and sells them on so renting them suits me.
I hope they treat this as serious as it seems alot of us have been hit who rent with them, And they will lose valued customers if they try sweep it under the carpet.
cancelled my card ASAP anyway.
I hope they treat this as serious as it seems alot of us have been hit who rent with them, And they will lose valued customers if they try sweep it under the carpet.
cancelled my card ASAP anyway.
One more here - recently had my bank contact me to investigate some suspicious looking transactions and it turns out they weren't made by me.
Thankfully they caught it and contacted me before allowing the money to be taken, but have had to cancel my card and have another sent.
The attempted transactions were for top ups on Vodafone and O2 mobiles, by the looks of it. Not heard a peep about it from Boomerang though, who I am a current subscriber with.
Thankfully they caught it and contacted me before allowing the money to be taken, but have had to cancel my card and have another sent.
The attempted transactions were for top ups on Vodafone and O2 mobiles, by the looks of it. Not heard a peep about it from Boomerang though, who I am a current subscriber with.
Chittagong
Gold Member
Just a quick reminder to the newly hits to also drop an email to Boomerang about being hit
Different experience to me. I can count on one hand the number of times in the 5 years I haven't got a new release game on day one.
nibblemonkey
Neo Member
I have to agree, only been subscribed for about a month and a half but the service I was received was excellent. My only problem is I was considering cancelling it anyway because I have too much to pay already
barneystuta83
Member
Boomerang customer here - not hit from what I can see.
I will cancel my card anyway as a precaution.
I will cancel my card anyway as a precaution.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
Not been hit yet, ordered a new card anyway. Been checking my internet banking fascinated to see when/if the cunts try, but it seems almost assured this must be Boomerang related now.
Dunno what to do about my sub. I assume it cant continue once the card details they have are cancelled, but they must understand nobody is gonna be giving them shit in the short-term if the whole thing is shagged?
They'd just started to get vaguely good after a year of being pretty shit with new releases. Nowhere near the LoveFilm hayday though, sorely missed
Dunno what to do about my sub. I assume it cant continue once the card details they have are cancelled, but they must understand nobody is gonna be giving them shit in the short-term if the whole thing is shagged?
They'd just started to get vaguely good after a year of being pretty shit with new releases. Nowhere near the LoveFilm hayday though, sorely missed
RoGuE-SnYpA
Neo Member
Boomerang have decent 1-2-1 customer service, but its situations like this, or the shambles of when LoveFilm closed that they seem to bury their heads in the sand.
I've not been hit.
I've not been hit.
Their web server (with payment info!) is still online and serving a messed up Wordpress installation: http://www.boomerangrentals.co.uk/blog/
Bananajama
Banned
I've been hit. Refunded and new card
I got hit yesterday with 2 transactions. One for £900 which they authorized and a second for £1200 which they blocked.
Card has been cancelled and now have to wait for card issuer to send a letter for me to sign before they give me a refund of the £900 back onto my account!
I can't believe how Boomerang are pretty much denying it too. I saw the reddit thread and then a day later my card has fraudulent transactions!
It's not a coincidence!
Card has been cancelled and now have to wait for card issuer to send a letter for me to sign before they give me a refund of the £900 back onto my account!
I can't believe how Boomerang are pretty much denying it too. I saw the reddit thread and then a day later my card has fraudulent transactions!
It's not a coincidence!
Bananajama
Banned
Very disappointed to learn about this through social media first.
Not at all acceptable and informed them I want my account cancelling.
Two attempted charges through John Lewis for me.
At the price given I can only assume iPads
Give me paypal
Not at all acceptable and informed them I want my account cancelling.
Two attempted charges through John Lewis for me.
At the price given I can only assume iPads
Give me paypal
Checked today. £3000 used to buy Microsoft products. The irony.
Cards cancelled, fraud protection kicked in, so that's fine. Question is; what do I do now? I really like Boomerang, but is cancelling the smart thing to do? If they've got my details but I've swapped cards, I'm now 'safe' - but is there an increased/decreased chance they'll be hit again? Would changing password do anything?
Thanks.
Cards cancelled, fraud protection kicked in, so that's fine. Question is; what do I do now? I really like Boomerang, but is cancelling the smart thing to do? If they've got my details but I've swapped cards, I'm now 'safe' - but is there an increased/decreased chance they'll be hit again? Would changing password do anything?
Thanks.
barneystuta83
Member
I've contacted my bank, better to be safe than sorry and cancelled my card.
They say no pending charges are waiting - so fingers crossed.
Boomerang have been great in my experience and share many of the sentiments here. Such a shame and I hope this doesn't do any long term damage.
Personally, I was thinking about cancelling anyway, largely due to the fact I have a huge backlog of bought games.
Good luck to everyone getting their money back, your bank is generally very forthcoming and quickly sort these things out.
They say no pending charges are waiting - so fingers crossed.
Boomerang have been great in my experience and share many of the sentiments here. Such a shame and I hope this doesn't do any long term damage.
Personally, I was thinking about cancelling anyway, largely due to the fact I have a huge backlog of bought games.
Good luck to everyone getting their money back, your bank is generally very forthcoming and quickly sort these things out.
mangochutney
Member
That was when they'd only had a couple of people mention it.
You could most likely take those couple of people and find another tie. All shopped in Tesco, all ate at McDonalds, all used Amazon - the list could go on.
The important bit they missed out in their initial response though was that they would conduct a thorough investigation regardless, to their defence they did change their tune once a lot more came forward.
But has it been poorly handled? Yes.
Got hit last night, £670 from Sonos. My bank blocked it and called this morning to check it was genuine. Card cancelled.
Anyone that's not already, I'd probably phone and cancel your card even if you've not been hit yet, seems like it's just a matter of time before they try your card.
Anyone that's not already, I'd probably phone and cancel your card even if you've not been hit yet, seems like it's just a matter of time before they try your card.
TheVoidDragon
Member
I'd mentioned this to my parents yesterday as we signed up for the Boomerang free trial a few years ago, just found out they've now been hit. We haven't had any card details on the Boomerang site for around 2 years but someone still got them.
Yeah, there's multiple people reporting cards entered but inactive for years have been misused.
That shouldn't happen, under PCI guidelines they aren't even allowed to store CV2 numbers after processing, so it suggests they either didn't implement the guidelines properly (some web developers just ignore the PCI guidelines for ease and then tell the client they comply) or somebody hacked them years ago and has been storing the details themselves (a technique called CMS skimming).
I removed my card details when I cancelled my sub nearly a year ago myself.
Either the hackers have been harvesting card details over the last 2+ years or Boomerang have been keeping our card details. The latter seems more likely to me.
Seeing what some people got hit for I'm lucky it was just a £20 Vodafone top up on my credit card last Friday. Barclaycard flagged it as suspicious and contacted me, which is how I got to knowing about this. Just waiting for the new card now.
Think I'll probably end up sending back the games I have and cancelling, but not until I can get on the site to clear my rental list. Cancellation will be accompanied by an e-mail demanding the complete removal of all my details from their system.
Think I'll probably end up sending back the games I have and cancelling, but not until I can get on the site to clear my rental list. Cancellation will be accompanied by an e-mail demanding the complete removal of all my details from their system.
I wouldn't worry too much. If they get through this I think they will have to invest in security and overhaul their procedures. You can survive a hack like this but not many survive two hacks. Shopto survived a similar ordeal but if they got hacked a second time I think they would struggle to recover.
barneystuta83
Member
http://ow.ly/d/2SlQ
They have posted a pdf press release, can some one do a copy and paste (it is tricky on my phone).
Edit: in summary they will introduce a token system instead of storing payment details, considering PayPal, and the will email all customers soon.
Site will remain offline until these changes have been made.
They have posted a pdf press release, can some one do a copy and paste (it is tricky on my phone).
Edit: in summary they will introduce a token system instead of storing payment details, considering PayPal, and the will email all customers soon.
Site will remain offline until these changes have been made.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
"We also contacted our payment gateway provider and they also had no concerns."
Pro-tip: They should no longer be your payment gateway provider because theyre fucking reckless, shit, lazy, and seemingly clueless.
Pro-tip: They should no longer be your payment gateway provider because theyre fucking reckless, shit, lazy, and seemingly clueless.
Moa
Member
Cancelled my card last night just to be on the safe side. I tweeted them last night asking if I could cancel my subscription while the site was down and I got this reply:
They later tweeted me and asked me to DM them to get it cancelled but that's just :/
I'm still amazed they haven't sent an email out to customers either. Their most recent statement says they will shortly but its been just short of four days since the first reported incident.
They later tweeted me and asked me to DM them to get it cancelled but that's just :/
I'm still amazed they haven't sent an email out to customers either. Their most recent statement says they will shortly but its been just short of four days since the first reported incident.
Maybe the wrong people are looking. Or it could have been a clever hack or even an inside job.
The circumstantial evidence is overwhelming but the physical evidence might be harder to find. They might have to hire someone who actually knows what to look for.
How sure are you the flaw was in the system of the payment processor? They (boomerang) already admitted to storing card info, even from cancelled accounts, on their own systems - encrypted or not.
RE: cancelling. They have deleted all payment details (so they claim) - so if you send all the games back then you are essentially cancelled as they have no card details to bill you with. Just formally cancel by email or when the site is back up.
mangochutney
Member
It would be very unlikely to be the payment processor. If it was the payment processor then there'd be thousands of people going 'my account and monies and blah blah blah!'.
daninthemix
Member
Looks like I've been hit and I haven't even used Boomerang for years. What the fuck?
Their payment processor is Sage Pay, who are big. The other company is WorldPay, who are huge.
It likely isn't them. Boomerang have a single server running, for example, their cart PHP system (on MySQL, which stores CC info) -- along with an old install of Wordpress with a known exploitable template on the same MySQL database. Have a look yourself, it is text book breach material.
It's all remotely managed, and their IT is outsourced to Freetimers.com, who also work remotely. It also appears to be single factor authentication, no antivirus. Anybody who also works in security (hello) will know the problems here.
Edit - breaches like this also sometimes stem from databases being backed up elsewhere, then the backups being owned. Given the number of people affected, somebody screwed up somewhere.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
While I doubt its SagePay, for me its the language Boomerang has used throughout where its like "no concerns". Yeah, none, really? Everythings fine, go back to sleep. I imagine SagePay would have at least said "you need to seriously check your shit on your end" or offered some advice the more this became obviously tied to Boomerang.
Is Boomerang run mainly by non-English-as-a-first-language people because thats the feeling I get often with them. The website always seemed like cobbled together shit, and well, now its most damning aspect has come to light.