Support NeoGAF

[Doctor_Thomas]

I dare say that's Boomerang finished. I assumed I had an account due to following them on Facebook, but I have no emails or any recollection of signing up, so probably not, but what a disaster.

Just been on phone to bank as they don't display pending transactions, and I knew I used my card after the latest transaction. The woman advised there wasn't been any activity other than the one transaction I did make, but she did say something interesting.

I asked if I should be pro-active, cancel the card anyway and she said that this actually wouldn't help as they could still take money because they can create a tie to the account and so actually what you would need to do is close the account or account tie and cancelling a card wouldn't do that.

Something to be aware of maybe?

Not sure who you bank with, but that's not the case at all or shouldn't be the case at all. If they supply a new card (basically because the existing one is compromised), the number and CCV codes on the old card would be useless. Unless they just send the replacement with the same details, which they will do if the card has been, for example, damaged so you can still use the existing card online for a period.

 

[BattleMoose87]

Just checked my account and I've had 2 £30 payments taken plus an unprocessed one.

 

[Sordid]

I thought I'd dodged this but I found a £0.00 pending charge from fasthosts.co.uk, the bank said this was probably used to test the card before doing more nefarious stuff with it. Glad I caught it early!

 

[Turnstyle]

While I doubt its SagePay, for me its the language Boomerang has used throughout where its like "no concerns". Yeah, none, really? Everythings fine, go back to sleep. I imagine SagePay would have at least said "you need to seriously check your shit on your end" or offered some advice the more this became obviously tied to Boomerang.

Yeah, the language has been very laid back up to this point, which really gives off the wrong impression.

I'm sure it's panic stations right now at the company, and I'm guessing it's just a small operation, so maybe we should give them some leeway, but it really could have been handled better.

The problem is that they have found no evidence of a data breach at their end so far, which means that despite all the overwhelming evidence on here, Reddit & Twitter to imply that these fraudulent transactions have stemmed from a leak at Boomerang, they won't proactively contact customers/ex customers to warn them to check their accounts. Hopefully the coverage on here will get people to take a look at their bank statements, but I'm sure there are plenty of users who are oblivious to what's going on.

It's worth repeating to anyone reading this that if you're a customer, or ex customer, check your accounts ASAP.

 

[ZanDatsu]

No unauthorised transactions on my card yet. My boomerang account is set to holiday until March, but seems others who cancelled their accounts have been hit so I'm just gonna keep checking my bank so I can catch it early if anything happens.

 

[Chris B]

Looks like I've been hit and I haven't even used Boomerang for years. What the fuck?

I signed up for the service on Friday morning last week (timing, right?), and I haven't been hit....

I emailed Boomerang's Managing Director, here is what he had to say: http://gmbr.it/fryjd

 

[ChillWinston]

I signed up for the service on Friday morning last week (timing, right?), and I haven't been hit....

I emailed Boomerang's Managing Director, here is what he had to say: http://gmbr.it/fryjd

Ha, that's my tweet you link to in the article. I actually sent them an email to similar effect (saying that their press release was insulting) They replied with a copy of the very same press release... yeah, sums it up really.

 

[daninthemix]

I signed up for the service on Friday morning last week (timing, right?), and I haven't been hit....

I emailed Boomerang's Managing Director, here is what he had to say: http://gmbr.it/fryjd

Someone spent £500 on insurance companies and Blinkbox, lol. I don't definitely know it's Boomerang, but the timing seems odd.

 

[pelican]

I dare say that's Boomerang finished
.

Why? It is bad PR , but if the matter is dealt with correctly and the company is relatively stable then it will survive (as it should unless there are any criminal levels of negligence).

Part of the problem for me isn't the three fraudulent transactions on my account, but some of the sensationalist reaction from people online.

I'm not intending to cancel my subscription - I've been a member for 5 years and this is the first issue of any kind I have experienced. I imagine they are quite a small company with tight cost control and it is quite sad to see them being targeted. I'm not making excuses for them, however I am trying to show some understanding.

 

[Pie and Beans]

Why? It is bad PR , but if the matter is dealt with correctly and the company is relatively stable then it will survive (as it should unless there are any criminal levels of negligence).

Part of the problem for me isn't the three fraudulent transactions on my account, but some of the sensationalist reaction from people online.

I'm not intending to cancel my subscription - I've been a member for 5 years and this is the first issue of any kind I have experienced. I imagine they are quite a small company with tight cost control and it is quite sad to see them being targeted. I'm not making excuses for them, however I am trying to show some understanding.

It hasn't been handled well at all. We'll be at a week soon enough and still no mass warning email to customers because they're hoping they can get away with the bare minimum and not alert the rest of their potential victims.

The longer that continues, the less trust people will have in them going forward. Them saying "hey maybe we'll do PayPal at some point?" isn't good enough. They simply MUST have this as an option this month or next because people don't just hand over new card details they had to get fucking reset to the fuckups that got them into shit with their bank in the first place.

 

[popo]

They don't want to do paypal as if someone cancels and does not return a game then they can't charge them for it. Recovering the money using civil options all costs more than the debt.

As for this killing their business - it will hurt them in the short term but unless another company steps up, they have no competition. I know that I am likely to stay with them - just with a pre paid card this time for my own precaution.

 

[Tomallica]

Got charged 30 quid by O2 and another transaction for 0.00 from bonanza.com, this is were they tested my card.

Gotta get a new card.

Only signed up for the free trial and cancelled it straight away.

Bastards

 

[gossi]

Quick update, it looks like they planning to put the site live again sometime tomorrow, based on a reply on Twitter.

If you've still got an unabused card on the system I'd be tempted to update the card number to be gibberish, in case a security issue still exists. Note that sometimes companies who get implicated in breaches go back online without the payment details page, to stop people leaving or for other reasons - might happen here.

 

[popo]

Quick update, it looks like they planning to put the site live again sometime tomorrow, based on a reply on Twitter.

If you've still got an unabused card on the system I'd be tempted to update the card number to be gibberish, in case a security issue still exists. Note that sometimes companies who get implicated in breaches go back online without the payment details page, to stop people leaving or for other reasons - might happen here.

They claim they deleted all held card details, encrypted r not.

 

[Lagamorph]

They claim they deleted all held card details, encrypted r not.

Was that the wording they used? Because that implies they're admitting they had un-encrypted card details on their system.

 

[popo]

Was that the wording they used? Because that implies they're admitting they had un-encrypted card details on their system.

I'll dig it out from their twitter feed if I can but they didn't say that - it was my interpretation. It was that they had deleted all held card info - even though they maintain that the info was encrypted all along.

 

[popo]

Site is back up for people who want to manage their queue.

No joining or change payment pages working yet.

 

[gossi]

Site is back up for people who want to manage their queue.

No joining or change payment pages working yet.

You can get to the payment pages by hitting escape when they load (they're not supposed to work but you can get to it basically and update your card).

 

[popo]

You can get to the payment pages by hitting escape when they load (they're not supposed to work but you can get to it basically and update your card).

Why would you want to? Is it showing your old card details still?

 

[mangochutney]

Why would you want to? Is it showing your old card details still?

You couldn't/can't view the details you previously put in and they said they deleted them all anyway. If it doesn't error then all you're likely doing is filling up the database table that wasn't removed with new info.

 

[barneystuta83]

Get £12 worth of Payback Points and Exclusive Access to Bonus Games
We very sorry if you have been affected by the recent website issues and to show our appreciation, we would like to give you these exclusive offers.

If you are a live account holder (even if you are waiting to update your payment details) on 26th January 2015, and feel you have been affected, email us and we will sign you up to this offer, and give your account “legend” status.

We will then give you £4 worth of Payback Points over the next 3 months* (starting in February) and as soon as available, give you 3 months exclusive access to Bonus Games.

What is Bonus Games?

Bonus Games allows you to rent additional games at no extra cost (just redeem your points).

You can rent these games for 2 weeks and allows you to double your games at home for that period**. So, if you are on a 2 game package, you could have up to 4 games at home at a time!

There will be titles available on most formats including PS4, Xbox One, PS3 and Xbox360.

What to do next?

Please email us on customersupport@boomerangrentals.co.uk and head you email “I am Legend” and we will sign you up as quickly as we can. Please use your Boomerang account email address.

We will then release more news on this offer.

Thank you for your understanding and patience.

*Your account needs to be live to receive the points.
**Subject to having sufficient Payback Points

Just posted on Facebook.

 

[Bananajama]

I'm subbed till beginning of April and been hit so might as well...!

 

[SnowFlakeCake]

This is so annoying to hear, nothing seems to have been taken from my card as I get the yearly sub and just take my details off after the one off annual payment. But it's still a worry and gonna cancel my card.

These guys need to stick around though, rental services are the only reason I game otherwise fuck paying £40 for a game I'll play for a month max. That said I really do wish Lovefilm stuck around on the gaming scene, was inevitable things were gonna be for the worse when Amazon stepped in and here we are.

 

[Turnstyle]

I assume they're still investigating the source of the breach.

I hope that we get an answer at some point, and it isn't all just swept under the carpet.

 

[Diablohead]

I can't remember if I used them years ago or not but I had a new card a year back so any details would be old ones.

I honestly don't use my card online for much at all any more, too often have these data leaks and hacks got in the way.

 

[popo]

I have no issue with how they are dealing with this - except not emailing everyone first thing Monday. Even with their "make good" program is careful not to admit guilt or apologise - presumably as they still have not found their breach.

This whole thing might backfire at the end of the month when all the uninformed members recieve their card statements in the post.

I assume they're still investigating the source of the breach.

I hope that we get an answer at some point, and it isn't all just swept under the carpet.

I am sure they are. Given that the card companies will have taken some losses - if only in the staff costs and re-issuing new cards - they will want an explanation.

I can't remember if I used them years ago or not but I had a new card a year back so any details would be old ones.

I honestly don't use my card online for much at all any more, too often have these data leaks and hacks got in the way.

I use my cards for everything and this is only the second time I have been hit in ten years. The first time was likely a skimmer at a petrol station and not even online. During this time I was also refunded for one company delivering faulty goods and another going bankrupt. So all in all, I came off better using credit cards than I would have using cash.

 

[RaginRoss]

I have no issue with how they are dealing with this - except not emailing everyone first thing Monday. Even with their "make good" program is careful not to admit guilt or apologise - presumably as they still have not found their breach.

This whole thing might backfire at the end of the month when all the uninformed members recieve their card statements in the post.



I am sure they are. Given that the card companies will have taken some losses - if only in the staff costs and re-issuing new cards - they will want an explanation.

I guess they might be hoping that if they do discover the charges on their statements, that people don't assume it was Boomerang that caused it? If it wasn't for this thread i'd have no idea it was them.

 

[huffster999]

Got to say i find the " I am Legend" part of their compensation offer rather crass and they still haven't sent out an email informing people despite saying they would in an earlier statement.Lack of any viable alternative means i'll probably stick with them though

 

[Turnstyle]

I guess they might be hoping that if they do discover the charges on their statements, that people don't assume it was Boomerang that caused it? If it wasn't for this thread i'd have no idea it was them.

Same. It was only by chance that I saw this thread after having a call from my bank to inform me of potential fraud. Without it I would be clueless as to why it had occurred.

I did receive an email from Boomerang, but only in response to one I sent them after reading this thread.. Granted I haven't been a customer for 2 years, but they really should acknowledge that not everyone is watching their facebook and twitter feeds for an update. I suppose as far as they're concerned, an email to all customers (present and prior) warning them of potential issues is as good as admitting they're the source of the breach.

 

[Calmine]

I used to use the service years ago and I cancelled my account in 2011 so I'm alright. Unfortunate for all affected though. So I hope they sort it out asap.

 

[DodgerSan]

Add me to the list. £600 at Carphone Warehouse went through, and £579 at John Lewis was blocked. Can't prove it was Boomerang but the numbers do seem coincidental. I can't think where else it would have been, I'm guessing not Amazon or Netflix.

 

[popo]

Got to say i find the " I am Legend" part of their compensation offer rather crass and they still haven't sent out an email informing people despite saying they would in an earlier statement.Lack of any viable alternative means i'll probably stick with them though

Thats the thing. They don't mention the hack. The "I am legend" compensation is for the website being down for half a week. It seems overly generous for the website being down but not generous enough for the inconvenience of those of us with hacked cards.

Just guessing but I suspect that they have a lawyer advising them not to admit to anything unless they find direct evidence of the hack - which if it was an inside job might be harder than just their servers being penetrated.

In the Monday press release an email was due "soon". Something changed and as I say, I smell lawyers.

 

[gossi]

All - the site is back online but there would appear to be security problems with it.

Boomerang have been contacted multiple times since yesterday and have failed to do anything. The site is still online.

 

[Roxas]

why are they only communicating to their customers via facebook? That is piss poor.

And still no acknowledgement that there was a security problem with their site? cmon son...

 

[Chris1]

Add me to the list. £600 at Carphone Warehouse went through, and £579 at John Lewis was blocked. Can't prove it was Boomerang but the numbers do seem coincidental. I can't think where else it would have been, I'm guessing not Amazon or Netflix.

Only place my card is stored is Paypal and Amazon and I'm fine. Never use it anywhere else either, not even in stores where I pay cash always.

Could mean nothing in the grand scheme of things but based on me not being hit I'd say it's safe to say it's not amazon.

 

[gossi]

why are they only communicating to their customers via facebook? That is piss poor.

And still no acknowledgement that there was a security problem with their site? cmon son...

There still is. You can use Internet Explorer to access others information still (edit: removed how since they haven't fixed it).

 

[Woffls]

Got hit yesterday for a declined £1,800 at some online store. Got the text from Natwest so called them immediately - from abroad - and had my credit card cancelled.

Had Boomerang for a few months about a year ago, but when I logged in a few days ago to check, there were no details stored so assumed I was okay.

 

[mangochutney]

There still is. You can use Internet Explorer to access others information still (edit: removed how since they haven't fixed it).

Sounds like an odd issue, IE only?

What kind of exploit is it.

 

[Ade]

SQL injection. They really are shit

 

[mangochutney]

SQL injection. They really are shit

How would SQL injection be limited to Internet Explorer?

 

[Ade]

How would SQL injection be limited to Internet Explorer?

Dunno, that be baffled me, full details were in the reddit thread.

 

[Turnstyle]

Just read through the Reddit thread - it's not looking good for this company.

This comment is a particular concern:

I've looked up Boomerang's public records, the ones it has to publish as a registered private limited company (Boomerang Video Ltd.). It looks like, as of their 2014 report, their assets only exceeded their liabilities by £19,052. The net worth of the company was £31,977. Not totally sure why those figures are different as they only had £6 in cash, but it's been a while since I got my Business Studies GSCE.
The point is, I think that if they're liable for the losses caused by the suspected breach, which could easily run into the tens of thousands of pounds in fraudulent payments, there's seems a strong possibility they'd end up insolvent which potentially could make them have to declare bankruptcy. Perhaps that's why they've been so quiet on the subject. Better to hope it all blows over, rather than warn customers about the risks they are facing.

The fact that there still appears to be a security breach, and that the company has been informed but not fixed it or taken the website down is worrying. If you look in the Reddit thread, you'll see that several people have reported it to the ICO, who may well come down on Boomerang like a ton of bricks given their handling of the issue.

It's not looking good for them at the moment.

 

[gossi]

Sounds like an odd issue, IE only?

What kind of exploit is it.

It's not IE only, I was just using that to demonstrate how much of a mess it is. Some pages on their site used raw SQL queries *by design*. As in, you can just see the SQL right there. I know they're on about how the 'database is encrypted', but then means jack shit when anybody can query the database. It still hasn't been fixed, and the site is still live.

 

[TsunamiOfSwagger]

I really don't know what to do now. I mean is quitting their site shutting the stable doors after the horse has bolted? I broke my card before New Year and requested another, and I cant see any charges to my account yet. Other than that, I am happy trying games out that I am not comfortable with purchasing before trying the out.

 

[gossi]

I really don't know what to do now. I mean is quitting their site shutting the stable doors after the horse has bolted? I broke my card before New Year and requested another, and I cant see any charges to my account yet. Other than that, I am happy trying games out that I am not comfortable with purchasing before trying the out.

If you've had your card replaced and didn't submit the replacement to Boomerang, you are fine right now. It's not possible to sign up with Boomerang or modify card details right now as they've disabled that functionality. If they re-enable that functionality I'd personally hold off resubmitting a card for now to see if they fix the site first.

 

[TsunamiOfSwagger]

Probably the best bet. Only started using them for the past couple of months, but I cant fault them. I mean, do they even have any competing business?

 

[Certinty]

Idiots tried to take out around £400 but luckily only managed to take £125. Hopefully I get it back but at worst thank God it was only £125.

 

[gossi]

Probably the best bet. Only started using them for the past couple of months, but I cant fault them. I mean, do they even have any competing business?

There's no active game rental businesses in the UK, as far as I'm aware. You can try googling it, but the few I found appear to be inactive (another has registration disabled, which made me ponder if they too had been hacked).

Re Boomerang, their site is still exploitable. Staggering they left it online all weekend with customer data on knowing it was abusable.

 

[DodgerSan]

There's no active game rental businesses in the UK, as far as I'm aware. You can try googling it, but the few I found appear to be inactive (another has registration disabled, which made me ponder if they too had been hacked).

Re Boomerang, their site is still exploitable. Staggering they left it online all weekend with customer data on knowing it was abusable.

Ok, I know nothing about web security. Can you elaborate?

 

[gossi]

Ok, I know nothing about web security. Can you elaborate?

Google SQL injection. The site has some, er, coding issues.

There's more info here: http://www.reddit.com/r/xboxone/comments/2rv71t/have_boomerang_rentals_had_card_details/cns1et3