Bananajama
Banned
I can't seem to access there facebook page.
Have they removed it?
Or is it just my PC playing silly buggers
Have they removed it?
Or is it just my PC playing silly buggers
UK Gaf: Boomerang rentals (possibly) hacked.
- Thread starter Ade
- Start date
My card got hit over the weekend, luckily my bank blocked it. I got a call stating to contact them about possible fraud, turns out whoever had the details had tried to send a fair amount of money to a wire transfer company. They'd also presumably registered the details on Ocado as there was a £1 charge from them when I've never used them.
Long story short - charges blocked or refunded, card cancelled and a new one's being sent out.
Hopefully Boomerang get Paypal sorted soon because I don't particularly want to put my new payment details on there. I still haven't received this email they said they were sending out last week either.
Long story short - charges blocked or refunded, card cancelled and a new one's being sent out.
Hopefully Boomerang get Paypal sorted soon because I don't particularly want to put my new payment details on there. I still haven't received this email they said they were sending out last week either.
Triggerhappytel
Member
So, have they admitted accountability for this yet, or is there still doubt there?
No, they are still saying that they have no evidence they were hacked, but considering how many people on here, Reddit, Facebook, Twitter and elsewhere have been hacked who were Boomerang customers, it's looking more and more likely that they were hacked. There's been no admission yet, and no communication email either which is the worst thing - unless customers check their Facebook or Twitter, they might not even know something has happened and to check their accounts until it's too late.
Triggerhappytel
Member
Yeah; although it might create panic among some customers, they're better being proactive and warning customers to check their accounts and remain vigilant than sticking their heads in the ground and denying anything has happened. If it turns out the data breach did not originate with them, they can send out another message clarifying this, but reminding customers they take security very seriously and they value everyone's business. And if it was their fault, they've done the right thing in letting customers know ASAP. Ignoring the problem is not the right thing to do, and similarly only communicating over Facebook seems really short-sighted.
WastedDeer
Banned
Just got hit as well over the weekend. I'm gonna give them a call and see what they say. Some transactions were blocked... some weren't.
The Super Bob
Member
Thought I might have dodged this, but there are still reports coming in of people being hit so I've cancelled my card and a replacement is being sent out. If you haven't done this yet it would probably be a good idea to do so as whoever has the card data seems to be going through them all.
I've enjoyed using Boomerang on and off ever since LoveFilm stopped doing games. Their service has gotten gradually better and games are normally dispatched pretty quickly. However, this will surely put off plenty of customers and might end up with the company shutting down. be a shame as there isn't any other viable option in the UK.
It's still strange that they haven't sent out emails advising customers that there might be a problem, considering the large number of people online who have reported problems.That might open them up for action from the ICO. But they haven't handled any of this particularly well and seem to have little idea about website security.
I've enjoyed using Boomerang on and off ever since LoveFilm stopped doing games. Their service has gotten gradually better and games are normally dispatched pretty quickly. However, this will surely put off plenty of customers and might end up with the company shutting down. be a shame as there isn't any other viable option in the UK.
It's still strange that they haven't sent out emails advising customers that there might be a problem, considering the large number of people online who have reported problems.That might open them up for action from the ICO. But they haven't handled any of this particularly well and seem to have little idea about website security.
Turnstyle
Member
Cancelling your card was the sensible thing to do, given that new people seem to come to this thread daily to say they've been victims of fraud.
The way this has been handled has been disappointing. I wouldn't trust these guys to make me a sandwich, let alone look after my bank details. If they manage to survive this I won't be using them again in the future.
Okay, Boomerang have appeared on Twitter and appear to be telling people they've stripped the payment info from their database (I'd argue too late, given the amount of people defrauded). They haven't fixed the actual website, so you can very likely write some simple SQL code to pull out the name, address etc details - apparently the solution to that problem is to simply pretend it isn't happening by not commenting on it. They also haven't informed customers to check their statements, which they told press they would be doing last week.
The website is designed by Freetimers (a great company name...), as mentioned in their website footer. Freetimers have page on their PCI Security compliance (for dealing with credit cards): http://www.freetimers.com/pci_compliance.php?p=security_backups (spoiler: the page simply says "Coming soon").
These guys are basically cowboys who covered up a major security breach leading to lots of real world theft, and the gaming press missed the story.
The website is designed by Freetimers (a great company name...), as mentioned in their website footer. Freetimers have page on their PCI Security compliance (for dealing with credit cards): http://www.freetimers.com/pci_compliance.php?p=security_backups (spoiler: the page simply says "Coming soon").
These guys are basically cowboys who covered up a major security breach leading to lots of real world theft, and the gaming press missed the story.
daninthemix
Member
I had another one show up on my statement today despite the card being cancelled last Tuesday.
Do not trust what the bank says - you need to check your account every single day for new transactions. I am now awaiting two fraud letters to sign and return, not to mention the 'in limbo' ones that were caught and reversed before they hit the statement. Hundreds of pounds in total.
This has taught me to be VERY selective about where I store my card details.
Doctor_Thomas
Member
I would be pro-active and cancel. I would also advise everyone to check their statements and even check with their bank for any pending point of sale transactions.
Clarkus Darkus
Member
Personally i would cancel your card mate, Not worth the agro and people are still being hit.
I got some fraudulent transactions on my card on the 10th and thought it could only be a cash machine I used the night previous but after reading this and thinking about it, I logged into boomerang that day. I was thinking of reactivating but they still have my details on file so...
They tried £1028.99 costco buy online & and £168 groupon but got flagged and I got a text.They did unfortunately get 2 x £20 starbucks vouchers
cancelled card as soon as i noticed and bank refunded the £40
They tried £1028.99 costco buy online & and £168 groupon but got flagged and I got a text.They did unfortunately get 2 x £20 starbucks vouchers
cancelled card as soon as i noticed and bank refunded the £40
Definitely check your statements and cancel your cards. Given the amount of misuse of cards it seems clear the details have been stolen and sold. The places they are being used are all UK stores, so it is likely a criminal gang in UK who have your details.
Also worth noting at least one person online was told by their bank the fraudster had actually phoned them to try and unblock his card. These people are going to seriously try to rinse every customer. Boomerang not notifying customers is, I believe, a terrible thing to do.
Also worth noting at least one person online was told by their bank the fraudster had actually phoned them to try and unblock his card. These people are going to seriously try to rinse every customer. Boomerang not notifying customers is, I believe, a terrible thing to do.
They will have been sold on a week ago. The hackers are not usually the ones who abuse the cards. They make a few small tests - hence all the phone topups and then sell the working numbers to people who will either use them for internet fraud or clone them on to physical cards.
Scammers often try to reactivate cards. Years ago I received a call from my bank that literally went:
Me : "Hello?"
Bank "Why did you just hang up?"
Me: "Sorry?"
Bank: "This is Barclaycard customer service - we were speaking and you hung up the phone when I asked your security questions"
Me: "What the fuck?".
Scammers often try to reactivate cards. Years ago I received a call from my bank that literally went:
Me : "Hello?"
Bank "Why did you just hang up?"
Me: "Sorry?"
Bank: "This is Barclaycard customer service - we were speaking and you hung up the phone when I asked your security questions"
Me: "What the fuck?".
Being selective about where you store your card details means nothing if the website is run by incompetent idiots who store all card details on file somewhere even when the customer removes them. My card details haven't been on their site for nearly a year.
daninthemix
Member
Same here - I think the last game I rented was Mass Effect 3 when it was released (!)
Triggerhappytel
Member
Gah, this had made me paranoid and I'm thinking of cancelling my bank card and getting a new one. And I'm not even a Boomerang customer, but someone got into my Twitter account a couple of weeks ago, and I have the same password for lots of different online sites, some of which have my card details stored.
Unless those sites display your card number (they shouldn't be), you are fine. You should change your password across the sites, though, otherwise people will misuse Xbox Live accounts, Amazon blah balh.
barneystuta83
Member
Initially, I wanted to continue to support Boomerang, as they are the only viable UK gaming rental service available. My experience has been generally very good, and certainly dramatically improved in the last 12 months.
While I wasn't hit (i quickly cancelled my card when I heard about the issue), I am disappointed in their lack of action and response for those people who are not viewing Gaf/Reddit. Also, none of the major UK gaming outlets have picked up this story from what I can see. Boomerang have not sent an email out to all customers (which they said they would) and the risk that customer information could still be taken is appalling.
For this reason, I have cancelled my Boomerang account. I told them all this in the feedback section when I closed the account down.
I am not angry or frustrated, these things can happen, and I applaud their efforts in trying to offer a rental gaming service. However, I am so disappointed in the lack of action taken given this was initially reported getting on for 2 weeks ago, and customers could be completely unaware or blind where the data breach was.
While I wasn't hit (i quickly cancelled my card when I heard about the issue), I am disappointed in their lack of action and response for those people who are not viewing Gaf/Reddit. Also, none of the major UK gaming outlets have picked up this story from what I can see. Boomerang have not sent an email out to all customers (which they said they would) and the risk that customer information could still be taken is appalling.
For this reason, I have cancelled my Boomerang account. I told them all this in the feedback section when I closed the account down.
I am not angry or frustrated, these things can happen, and I applaud their efforts in trying to offer a rental gaming service. However, I am so disappointed in the lack of action taken given this was initially reported getting on for 2 weeks ago, and customers could be completely unaware or blind where the data breach was.
Bananajama
Banned
Hmmmmm
So much bull, as if they're doing all this and losing money just because they feel like it. Such lies.
If you're a business you don't want to admit liability, I guess. Something or someone leaked those cards to fraudsters.
There is overwhelming circumstantial evidence but unless they find hard evidence they are not going to admit it. Even the fact that people have highlighted site vulnerabilities doesn't prove these security holes were used in this case.
When the promised customer wide email never happened it was obvious that they had taken this position and now they are locked in to it. Emailing the customer base more than a week after it was brought to your attention is arguably worse than not emailing at all.
When the promised customer wide email never happened it was obvious that they had taken this position and now they are locked in to it. Emailing the customer base more than a week after it was brought to your attention is arguably worse than not emailing at all.
Clarkus Darkus
Member
Given that they have finally had to hire an outside expert and they are getting zero new income at the moment - I bet they hope to sort it soon as well.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
Looks like they blocked the guy on twitter thats been compiling all this because he was trying to warn them about more SQL Injection stuff.
Seems like they're now just in lawyer advised "ADMIT NOTHING" mode and hope it blows over, despite potentially keeping a site filled with security risks running.
Looks like this will be the end of them due to such naive incompetence thinking this sort of thing can be solved by burying heads in the sand.
Seems like they're now just in lawyer advised "ADMIT NOTHING" mode and hope it blows over, despite potentially keeping a site filled with security risks running.
Looks like this will be the end of them due to such naive incompetence thinking this sort of thing can be solved by burying heads in the sand.
Yeah its hilarious.
Their experts (and i use that losely) have failed to find the SQL injection errors that are still publicly available, their updates are just odd "We've got no proof of anything, we're admitting nothing but we've deleted everything" and the promised email to all customers has never turned up.
I'm never using this company again.
You don't know why the guy was blocked. Kudos to him for alerting everyone but he did seem a bit of a nut and I could easily see him being a bit too aggressive.
Also he backtracked some of the SQL stuff on reddit. Lot of it was just shoddy debug code left in place.
The updates seem reasonable. Their staff were not up to finding the problem and they were a bit slow bringing in a third party - but if it was an inside job they might not find anything. The lack of an email is disappointing but as I and a few others have said - smells like lawyers telling them to admit nothing.
Also he backtracked some of the SQL stuff on reddit. Lot of it was just shoddy debug code left in place.
The updates seem reasonable. Their staff were not up to finding the problem and they were a bit slow bringing in a third party - but if it was an inside job they might not find anything. The lack of an email is disappointing but as I and a few others have said - smells like lawyers telling them to admit nothing.
GavinUK86
Member
Wait a minute, this is the first I've heard of it.
My card was used on O2 PAYG top up's a week ago and I cancelled my card right away and got it sorted but I had no idea how it happened. Maybe that was Boomerang then.
I can't seem to cancel my account now either. I guess it doesn't really matter now considering the card on file is the one I had to cancel. Boomerang won't survive this fuck up.
My card was used on O2 PAYG top up's a week ago and I cancelled my card right away and got it sorted but I had no idea how it happened. Maybe that was Boomerang then.
I can't seem to cancel my account now either. I guess it doesn't really matter now considering the card on file is the one I had to cancel. Boomerang won't survive this fuck up.
Triggerhappytel
Member
Yeah, they have handled this so badly that to be honest I think they deserve anything that happens to them. I was honestly wondering a few weeks ago what rental companies still existed - obviously Blockbuster has gone under, I used to use Swapgame, Lovefilm doesn't do games any more, and I don't know any others. Oh well, even if they come out of this unscathed (and I honestly think this will be the end of the company), I can safely say I'll never use them.
I understand the need for retribution but it would be a shame if everyone loses their jobs - and customers lose the only real rental option left - just because they hired a local web design company who don't appear to know what they are doing.
Personally, I will be happy to stay with them after all this - albeit with a pre-paid card this time or paypal if they ever offer it.
Personally, I will be happy to stay with them after all this - albeit with a pre-paid card this time or paypal if they ever offer it.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
Underlings always get the worst deal, but basically the heads of this company reveal over the passage of time how little of a shit they give about a serious breach in card details and seek to cover their own asses by not admitting anything.
Hey, I really want a good rental option too. But putting money into the pockets of incompetent and at this point thoroughly reckless individuals is not a cool feel. They either offer Paypal in some way (yes I understand the problem but, what else?), or they lose most of their base when they start demanding new card details again.
I don't disagree with any of that. We don't know, and likely never will know, the whole story but you are right in that is looks bad.
That said. My personal stance is that I will continue to support a company that I don't fully trust if it is still in my best interest and if I boycotted, out of principle, every big company that I though was anti-consumer and out from themselves - I would rule out 90% of companies I deal with. e.g. everyone loves their PS4 but it was not that long ago that they were hacked and it took over a week for them to make a statement.
That said. My personal stance is that I will continue to support a company that I don't fully trust if it is still in my best interest and if I boycotted, out of principle, every big company that I though was anti-consumer and out from themselves - I would rule out 90% of companies I deal with. e.g. everyone loves their PS4 but it was not that long ago that they were hacked and it took over a week for them to make a statement.
TsunamiOfSwagger
Member
Just got hit for £30 of O2 top up. Bar stewards. Cant even cancel my account at the moment, it wont let you get to that part of the site.
Just cancel your card
TsunamiOfSwagger
Member
Have done. Thought I had got away with not being hit.
Scottish Sin
Member
Cancel the card ASAP.
Turnstyle
Member
I would urge anyone who has/had an account with Boomerang to call their bank and cancel their card. I know it's a pain, but it's far better to take a precaution now and be without your card for a few days, rather than get hit with a fraudulent transaction further down the line.
Whoever took these details is obviously still active, and it seems like they're working through the list. If they've got your details, it's probably only a matter of time before something odd pops up on your statement.
I know that the link to Boomerang still hasn't been confirmed, but the evidence in this thread and elsewhere on the web is overwhelming.
Bananajama
Banned
What he said
Better to be safe than sorry!
Better to be safe than sorry!
Turnstyle
Member
It's also worth keeping an eye on the Reddit thread for anyone interested:
http://www.reddit.com/r/xboxone/comments/2rv71t/have_boomerang_rentals_had_card_details?sort=new
Someone has suggested that passwords may also have been compromised, so if you used your Boomerang password across multiple sites, consider changing it:
http://www.reddit.com/r/xboxone/comments/2rv71t/have_boomerang_rentals_had_card_details?sort=new
Someone has suggested that passwords may also have been compromised, so if you used your Boomerang password across multiple sites, consider changing it:
They have updated the message when you try to update your card details.
"
Update 24/1/2015
Updating Your Card Details
Please accept our apologies, we are currently changing our payment platform.
You should be able to add your new card details from Wednesday 28/1/2015.
The Changes
The new platform will look a little different. When you update your card details, you will be directed to our Payment Partner page to enter your card details and then back to our site afterwards.
You wont have to do more than you would do ordinarily, it will just look a little different and is totally secure.
Waiting for a Game?
We are still receiving and despatching rentals during this period including new releases. You should also be able to manage the rest of your account as normal.
However, if you are currently waiting for a game, because your account needs new card details, please email us at customersupport@boomerangrentals.co.uk with email subject Allocate Game and will despatch a game to you as quickly as we can. This is only a temporary measure, just while we wait for the new payment platform to go live.
Thank you for your patience, we will let you know when you will be able to update your card details, as soon as we can."
"
Update 24/1/2015
Updating Your Card Details
Please accept our apologies, we are currently changing our payment platform.
You should be able to add your new card details from Wednesday 28/1/2015.
The Changes
The new platform will look a little different. When you update your card details, you will be directed to our Payment Partner page to enter your card details and then back to our site afterwards.
You wont have to do more than you would do ordinarily, it will just look a little different and is totally secure.
Waiting for a Game?
We are still receiving and despatching rentals during this period including new releases. You should also be able to manage the rest of your account as normal.
However, if you are currently waiting for a game, because your account needs new card details, please email us at customersupport@boomerangrentals.co.uk with email subject Allocate Game and will despatch a game to you as quickly as we can. This is only a temporary measure, just while we wait for the new payment platform to go live.
Thank you for your patience, we will let you know when you will be able to update your card details, as soon as we can."
Scottish Sin
Member
Didn't they say they were looking into a Paypal payment option? I'd be a lot more at ease with that available.