For those not looking to click through to the site:
====
We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway, we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience and are working diligently to resume service as soon as possible. Your images are saved and you will have access to them once service to CVSPhoto.com is restored. Our in-store photo centers are not affected and remain in service. Film and disposable camera orders are being processed and your CVS/pharmacy will contact you when they are received.
Customers who provided credit card information for transactions on CVSPhoto.com are advised to check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.
Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com, optical.cvs.com, cvs.com/MinuteClinic on line bill pay and our pharmacies. Financial transactions on CVS.com, optical.cvs.com, cvs.com/MinuteClinic and in-store are not affected.
Nothing is more central to us than protecting the privacy and security of our customer information, including financial information. We are working closely with the vendor and our financial partners and will share updates as we know more.
My sarcasm detector is admittedly permanently broken thanks to years on IRC and forums, but just in case:
It's useful because the steps a reader would need to take before being secure clicking through to a site identified in the submission title as "hacked" (I notice the title has been clarified since then) are non-trivial. I figured since I'd done them once, I might as well save additional folks the steps if they were just looking for the page contents.
It's useful because this situation is temporary. Once the site is back online, the explanation will no longer be posted and anyone coming across this post in a week, month, or years later will have no information.
Like others have said about this happening to Costco too, this is all because CVS, Costco, Sam’s Club, Walmart Canada, and Rite Aid use PNI Media as a backend for their photo services and PNI seems to have been hacked:
Hey, I'm actually the creator of the plugin. I'm amazed to see a picture of it on HN. Thanks for using it and let me know if you have any questions. If anyone else wants to use it, it's called Plain Text Offenders Alert and available in the chrome web store.
plaintextoffenders.com itself works on reports. My extension uses an api (https://8ack.de/plato/info/). The extension regularly caches the list of offenders and checks your current url against the list locally, so neither I nor the api creators can see your browsing history.
My credit card was ripped off 4 times in the last year. Recently, I had a credit card for less than a week.
Since then, I started to use Virtual numbers. It's a feature that generates a virtual credit card number that I am opting to use per vendor. Hopefully, this will expose the vendors that are leaking this sensitive information.
The only two live US banks with this on the consumer side are Citi and BoA. The unfortunate thing is that the functionality is all accessed via old flash applications.
As a result of recent reports suggesting that there may have been a security compromise of the third party vendor that hosts Costcophotocenter.com, we are temporarily suspending access to the site. We take the security of our members’ data seriously, which is why we are taking this precautionary step. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers.
This situation is affecting multiple online photo sites. We are diligently working to determine when we can re-enable the site, but in all likelihood that will not occur until the middle of August. We will update this statement when we have more information.
Hate on "We take security of your data" is a new hype, but grandparent and OP actually contained blame shift:
> security compromise of the third party vendor
> collected by the independent vendor <...> may have been compromised
This is the case of "sorry for my friends, I'm doing the best I can", which is entirely different situation than "I accidentally slept with your best friend, but I value our relationship" kind of PR.
If they "took security seriously" they would work with vendors who take security seriously. Wonder if they'll drop these guys as vendors now that they are proven to not take security seriously...
Credit card security is a joke. I shouldn't have to worry every time I give my credit card information to a website that they may leak it due to whatever reason. The information that I give out should be considered public information. They should require to always authenticate myself with the physical card (which is a smart card by the way). What's the point of the card otherwise?
It's not like I want to cover up for cvsphoto.com. I just find it ridiculous that if I give my credit card info to N website than the risk that my credit card info get stolen and abused is O(N) instead of O(1).
It's still a major hassle when our cards get compromised and subsequently canceled by the bank.
I've had it happen when I'm traveling, and my primary card suddenly stops working. I always carry backups for this reason, but it's still disruptive and potentially embarrassing.
Also if I have a card on file for recurring payments or repeat orders, I have to go find all of those places and update it every time the card gets replaced. When it happens once, it's not so bad. When it happens two or three times a year, it's a headache. I finally took to having a single card that is used for ONLY recurring payments, with the hopes that it wouldn't get compromised and when the others do I wouldn't have to go through this whole exercise again. So far so good.
The bottom line is yeah, it doesn't cost me money, but it does cost me stress and time. I have better things to do with my time and energy than cleaning up after yet another compromise that happened through no fault of my own.
> I finally took to having a single card that is used for ONLY recurring payments...
This is a sound plan. Kudos!
For non-recurring payments, I've taken this a step further: I use a debit card for online purchases backed by an account with just a few dollars in it. When I wish to make a purchase, I move the funds for that purchase into that account.
I would rather have a fraudulent purchase be declined than to deal with the hassle -however small- of disputing a charge.
Are you sure it works that way? By default, the bank is more than happy to let the transaction go through, then charge you $20 for loaning you the money, plus much more interest than you'd pay with a credit card.
I'm 100% certain. I checked it intentionally once, and accidentally another time. As I understand it the trick was to decline the "Overdraft Protection" shit that every bank was pushing many, many years ago.
Use an American Express. My card was compromised 8 months ago and most my recurring transactions still go through on the old card #. Amex was the only card issuer that didn't issue new #s to cards breached during target hack.
Also most recurring billers use account updater so if your bank supports it, the billers will get the new card #.
<Shameless self promotion>If you're in the US: We're working on solving this at getFinal.com. Email us and we'll make sure you get taken care of as soon as we can.
You indirectly pay for all fraudulent charges because they're included in the fees the merchants pay to the credit card companies (and obviously just include in their pricing as well). With a secure system those fees could be much lower.
If the thief is slick he / she may make small charges that you wouldn't immediately notice or at all if you're sharing the card with someone else (e.g. a significant other). It's also a HUGE pain in the ass.
Weird. Carphone Warehouse (UK) has some news too: "Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed in a cyber-attack, the mobile phone retailer says."
From the page: "We apologize for the inconvenience and are working diligently to resume service as soon as possible. Your images are saved and you will have access to them once service to CVSPhoto.com is restored."
That being said, my understanding as somebody with 15 years of working history in the online photo space is that PNI is the host and all of their major customers shut off so I can't imagine that PNI is very healthy right now. If I am mistaken and the individual sites (Rite Aid, Costco, Sam's Club, Tesco, CVS and Walmart Canada) actually store and manage the photos then the data is likely to be fine.
That also being said, never trust your photo storage to an online service even if you are paying for it. Photos generally don't take up that much space. You should have at least two copies on devices that you own if you don't want to lose them.
Saying the images are 'saved' is not the same thing as saying that they were not improperly accessed. That's what I'm wondering about (I phrased my initial comment poorly).
====
We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway, we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience and are working diligently to resume service as soon as possible. Your images are saved and you will have access to them once service to CVSPhoto.com is restored. Our in-store photo centers are not affected and remain in service. Film and disposable camera orders are being processed and your CVS/pharmacy will contact you when they are received.
Customers who provided credit card information for transactions on CVSPhoto.com are advised to check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.
Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com, optical.cvs.com, cvs.com/MinuteClinic on line bill pay and our pharmacies. Financial transactions on CVS.com, optical.cvs.com, cvs.com/MinuteClinic and in-store are not affected.
Nothing is more central to us than protecting the privacy and security of our customer information, including financial information. We are working closely with the vendor and our financial partners and will share updates as we know more.
For more information, call 1-800-SHOP-CVS.
====