Knit Picks Credit Card Security Compromised

[siliconsara]

I hate to be the bearer of bad news, but I thought this was pertinent to the community since I believe some of us have purchased yarn and other stuff from Knit Picks.

If you ordered something from the Knit Picks online store from late 2012 to 2013 then you need to call your CC company/Bank post haste to report the card lost/stolen and to see if there are any fraudulent charges.  Someone used a security exploit of the web software that handles transactions to gain access to the consumer database for online orders.  They say even if you did not order from KP recently but in the near past, it is a good idea to report the card you used and check your statements.  I ordered from them a few years back and did not hesitate to report my card and cut it up just now.

Here's the official statement from the CEO.

Here is a guide (unofficial) for those who might have been compromised.

The facebook page for KnitPicks is alive with discussion about this mess.

Comments

[dragovianknight]

Thanks for the heads up; I placed six orders during the relevant timeframe. *headdesk*

[synecdochic]

They say they contacted affected customers, so unless you got a letter, the best thing to do (because changing your CC# everywhere is a pain in the fucking ass) is probably to just watch your statement extra closely for a while, rather than cancelling the card as stolen -- that's what I'd do, at least. You're not liable for any fraudulent charges either way.

I'm more concerned about the fact they had credit card numbers unencrypted on their system in the first place; I seriously doubt they're PCI compliant (because that's a bitch and a fucking half) -- they shouldn't store customer credit card data at all, anywhere, without that.

(I do love the people on Facebook who are like "this is why I pay with PayPal, it's safer!" Um, no, it really, really isn't...)

[siliconsara]

They say they contacted affected customers, so unless you got a letter, the best thing to do (because changing your CC# everywhere is a pain in the fucking ass) is probably to just watch your statement extra closely for a while, rather than cancelling the card as stolen -- that's what I'd do, at least. You're not liable for any fraudulent charges either way.

The only problem is that some people who haven't ordered with KP in a while have recently received fraudulent charges on the card they used with KP, so even if you may not have ordered with them recently, you may still be affected, letter or not. (ravelry members have reported this occurrence)

[carynb]

Yeah, I ordered from Knitpicks a little earlier than their time frame, (early December) and it looks like my info got stolen. I got a call from Visa 2 weeks ago about probable fraudulent charges that had just happened. And yes, they were fraudulent. The Poker sites just didn't mix in with all the Kobo, Amazon, and Paypal charges on the card, I guess. :-) Thank gods for Visa's unlikely-purchases algorithms.

I haven't received a letter yet, either, but I'm Canadian and the letter from the CEO did say that the Canadian letters haven't been sent yet.

[quartzpebble]

Yeah, I did not order in that time period and two of my cards were compromised. I don't know if they sent any notification because I have moved since ordering (I think the last time I ordered was summer 2012).

[lannamichaels]

I'm 99% certain they're the reason my card was stolen and I haven't received a letter.

I'm more concerned about the fact they had credit card numbers unencrypted on their system in the first place;

I'm seriously concerned about this bit. I love their products, but I'm not sure about buying from them in the future, or doing it without looking into ways of protecting the number from them (or just biting the bullet and getting a card just for buying online).

[synecdochic]

Prepaid credit card, or many card companies will now do single-use numbers (ie, it charges to your card but you can give each retailer a unique, one-use number).

[ladyjax]

Just this once, I'm glad that I ended up having to replace my card - for a similar reason, actually - near the end of last year.

[visual_syntax]

Yes same here!!!

[ciaccona]

I placed an order in December, and had fraudulent charges in January. (And I very very rarely use that CC, so it had to be from this breach.)

I heard about this from a friend before the linked blog post, and still haven't heard from Knitpicks.

[sciarra]

A friend had her info stolen and still hasn't received a letter. She lives in the US. If you fall in the time frame of the leak, I would definitely keep close watch.

[snazana]

I got a fraud call from my credit card company a couple of weeks ago. I only use that card for online purchases. Got my new card a couple of days ago and will be using my bank's safe shopping option online from now on.

It's kind of a relief to know where my number was compromised.

[rainne]

Wow. I almost ordered from them a couple of weeks ago; I wish I'd seen this before that. I'm glad I didn't, now.