Chugger pump hacked user data

[mors]

There are a million programs out there that do this same thing... but maybe take a look at KeePass. It will let you generate a strong password for each site individually and store them in a database. They have a version for your phone as well. You can create a key file to open the database as well as a strong (rememberable) password for it. Then every site you use has a strong password that is distinct to that site.

 

[jbaysurfer]

Honestly if you were half as good as you claim there would be no issue.

As for Chugger not posted on HBT today... I consider that a good thing. They are working on the issue.

Some solution they came up with. No clue how to fix it, so we'll just shut down website sales. How can I trust them when they say my CC information wasn't accessed when they apparently don't even know how the incursion happened in the first place?

Regarding your first sentence...it makes no sense. The fact they didn't know about this until OP brought it to their attention and chose to frantically shut everything down tells me all I need to know. I'm not surprised. Since I actually DID business with this company and the owner showed me his personal customer service style at that time. Unfortunately, pandora's out of her box.

Plain and simple, this business had a fiduciary duty to protect customer privacy, failed miserably, and still doesn't know how it happened, or even what happened. If they did there would be no need whatsoever for the panic move of deleting everything and shutting down web sales.

PS, all who think it's no issue once you change your passwords on all other sites either aren't on the list, or don't realize their email address (which most use on a recurring basis for logins) is now being matched up with password cracking algorithms all over the world. It is necessary to not only change one's password that was compromised, but every single iteration of that password that might have ever been used on every site that it's been used on, and continue changing that password going forward. This was an ounce of prevention or a metric ton of cure.

 

[stamandster]

There are a million programs out there that do this same thing... but maybe take a look at KeePass. It will let you generate a strong password for each site individually and store them in a database. They have a version for your phone as well. You can create a key file to open the database as well as a strong (rememberable) password for it. Then every site you use has a strong password that is distinct to that site.

That's great until someone get's your Keypass password (and I think you mean memorable ;-) and by millions I think you mean a handful; Lastpass, Keypass, etc.)

You have to remember that it's not the users security context that was a vulnerability that lead to this data breach. It was a vulnerability on the side of the Chugger site servers and/or administration. I can't speculate in regards to what it was, but whatever the case, they were able to parse the user database that had clear text passwords. This would have stopped this vulnerability issue at the door. So that's a HUGE no-no in any online store/login. Someone clearly did not do their due diligence.

Blaming a user because they used a same password on a site as their email password is bad form. Not everyone is as enlightened as you are in regards to security, and as I stated before, sometimes you're rushing and just forget to do so or don't have access to it ("argghh... march madness... must... get... before.... all out!"). Plus changing your password every six months is mitigating but isn't really a great choice either.

I understand that breaches happen and in our current environment their bound to at an increasing degree. However, a company needs to do everything, to a reasonable degree, to protect all customer information. They also need to do everything they can to resolve the issue to the customers satisfaction (as defined by the law and regulations).

And just because they removed the link for the account login doesn't mean the page is gone for good. In fact I just reset my password and logged into my account (as shown below). And my customer data is still there (as well as my order information, except for my cc information).

 

[jbaysurfer]

Yes, it is unfortunate that the website was hacked but seriously if your using the same password as your banking password for a shopping cart website it's really the users that are at fault. Come on everyone use some common sense! The last thing Chugger Pumps should do is re-post the list anywhere! Why would you want your information more publicized. Plus, the list has been removed from Facebook. This has happened to 1000s of companies large and small it's how hackers work! Change your passwords for everything you do every 6 months and make them complicated not simple! If you have a real big problem with it call Chugger they have always taken care of their customers

The issue has been taken care of. Change your password and move on!

First post. Classic shill. Only a fool doesn't see how amateurish this company is handling this.

 

[mikescooling]

I still like chugger pumps, I like their SS head, their March madness sales, the good customer service. So I had to change my password to my health club and amazon, big freeken ***. If you use the same passwords for your banking, you're asking for trouble. Let me guess it was 1234? I checked all my cards and accounts and do not see any charges I did not make, I know this because I'm poor and watch every dime. Every brew day I say a little prayer thanking god for my pumps and how I don't have to lift anything any more. Do you here me Chugger pumps, LOTS OF US STILL LIKE YOU! But seriously, you guys have to hire a super computer nerd to lock-down customer info.

 

[Coff]

I still havent gotten an email from Chugger about this...

 

[mors]

That's great until someone get's your Keypass password (and I think you mean memorable ;-) and by millions I think you mean a handful; Lastpass, Keypass, etc.)

You have to remember that it's not the users security context that was a vulnerability that lead to this data breach. It was a vulnerability on the side of the Chugger site servers and/or administration. I can't speculate in regards to what it was, but whatever the case, they were able to parse the user database that had clear text passwords. This would have stopped this vulnerability issue at the door. So that's a HUGE no-no in any online store/login. Someone clearly did not do their due diligence.

Blaming a user because they used a same password on a site as their email password is bad form. Not everyone is as enlightened as you are in regards to security, and as I stated before, sometimes you're rushing and just forget to do so or don't have access to it ("argghh... march madness... must... get... before.... all out!").

I understand that breaches happen and in our current environment their bound to at an increasing degree. However, a company needs to do everything, to a reasonable degree, to protect all customer information. They also need to do everything they can to resolve the issue to the customers satisfaction (as defined by the law and regulations).

And just because they removed the link for the account login doesn't mean the page is gone for good. In fact I just reset my password and logged into my account (as shown below). And my customer data is still there (as well as my order information, except for my cc information).

Note they would have to get access to your KeyPass database. Then they would have to crack your password. They would also need to get access to your key file as well. My point being it's very difficult (especially if you keep the key file in a secure location).

as for the site and still being able to access your account... yes web development doesn't seem to be their forte lol.

 

[rustybeer]

So I just checked the facebook page, it is down. I also logged onto chugger pumps site , and found that I can still access my account. So I went in and changed all my info I suggest everyone else do the same.

 

[stamandster]

If anyone wants to know the login area's to change their data please let me know in a PM.

 

[rustybeer]

Update I just talked to Mike at chugger pumps they were unaware the log on link was still working. He told me that they are working on removing all access point to the accounts now. It still doesn’t make it right when you stated that you deleted the user email addresses and password yesterday , and just removed the log on link from the page. So let get this fixes ASAP and live and learn. If you use the same password on multiple sites learn from this , and be glad it isn’t as bad as the other sites that have been recently hacked.

 

[Randy_Bugger]

Oh no. They lied to their customers?

The SWHTF in 3...2...1...

<---grabs popcorn

 

[stamandster]

Or misinterpreted what was actually done...

"As a precaution, Chuggerpumps.com has deleted all its customers usernames and passwords. If you use your Chuggerpumps.com password elsewhere, make sure to change it there as well."

Deleted from where??

 

[mors]

yes. I believe they think they deleted all the accounts but in reality not so much. They clearly know mechanical things and not how to run a website. It's good they are removing sales from their website. Hopefully they see this and actually delete the account data and remove these pages from the website.

 

[stamandster]

yes. I believe they think they deleted all the accounts but in reality not so much. They clearly know mechanical things and not how to run a website. It's good they are removing sales from their website. Hopefully they see this and actually delete the account data and remove these pages from the website.

TBH, I don't think it's necessarily Chugger that's completely at fault for the breach but possibly the company that built and maintains their website and who they trusted were on top of things. I won't name who because of possible issues with lawyers and defamation of character.

 

[Randy_Bugger]

Was it cheaper to buy directly from Chugger instead of one of their distributors?

 

[stamandster]

Was it cheaper to buy directly from Chugger instead of one of their distributors?

I'm assuming yes. In my case it was cheaper only because of March Madness.

 

[Pappers_]

I closed this thread since the main point that customers of Chugger Pumps need to change passwords and watch for unauthorized charges has been made. If you have further questions, please contact Chugger Pumps directly. Please do not open another thread on this topic.

 

[Pappers_]

Update:

Can you add a post asking people to make a report to facebook regarding the chugger security breach so that it can be taken down. The e-mails and passwords are still up.

https://www.facebook.com/AnoNymousdzhack/posts/429633710487609

Thanks!