Johnny's Website Hacked!

Just an alert to let you know Johnny's Selected Seeds' website was hacked early last month, resulting in the theft of personal information and credit card numbers of some 11,000 customers.

I received a letter, via snailmail, today, notifying me I am among those affected.

Check your snailmail, folks.

Me too! I just got home and opened my mail and found the same letter! It is now March 1 and this happened on Feb. 4 and they found out on Feb 18. That seems like a long lapse in time from when it happened. I didn't read anything about it being 11,000 customers in my letter. No charges have been made on my credit card, but I'm going to cancel it anyway.

Hackers! I have some choice words running through my head, but they would be illegal on here. Use your imagination if you will.

I spoke to them after receiving the letter. The 11,000 figure was given as part of the reason it took so long to get notification out.

I got the letter as well :( Had you all placed recent orders with them? I bought something just last week but my order before that was in December so I was kind of surprised they had my credit card number still. Most companies don't store CC numbers for just this reason. No suspicious charges on my account so I'm just going to watch it awhile.

Thanks Donn, guess that was the reason I didn't get notice till a month later.

http://davesgarden.com/forums/t/697878/

My purchase was in January. I too was surprised that they stored the credit card numbers.

Yep, got a letter too, now I have to go cancel my credit card, boy this hacker stuff gets annoying. If they have this kind of computer ability why don't these morons go out and get a real job!

Got my letter from them this afternoon and was also surprised to find out that they had stored my card information since I don't normally do business with any merchant that requires you to do this.
I had to spent what felt like forever on the telephone with my credit card company to cancel my card.
I've always enjoyed the products I've purchased from Johnny's, but since I'm now aware that they do store information like this, I will take my business elsewhere.
Alice

I'm not going to stop buying from them. Their selection is just too good to ignore, and I think their catalog is a tremendous resource for veggie gardening information.

Until they convince me they've got their security thing fixed, I'll do it the way I did before the internet came along. I'll mail in my orders, with a check.

Johnny's is a seed house, not a technology vendor. The quality of their product isn't affected by this issue.

my credit card company was fantastic, sending me a new card in 24 hrs. Because we put everything on our card andpay it off monthly, I needed one fast. They even told me that to give them the total amount I spent cash or checks on and tell them that amount when the car d comes in, and they would give me points for that amount . They were extremely nice, told me I would never be responsible for debts I don't think I put on the card. Cabelas visa is my visa LOL good ol cabelas. It's still a hastle having to do this, I hope johnnys doesn't save credit card numbers for future reference any more. But alot of companies do that.

Me too. I called the bank and probably got the dumbest teller ever! She was like, What? Huh? What do you mean? I was getting so aggravated! I did the fraud alert thing with the credit bureaus. Tamara

I order a lot from Johnny's but I also lose my credit cards a lot. I frequently have to replace them. So if they got my credit card number from Johnny's they will find out that the card is cancelled. I haven't ordered from them sense last year. I am amazed my scatter brained trait actually came in handy for once.
I feel sorry for Johnny's. They are good people. But people need to learn not to store other people's credit card numbers on a computer. It is a nightmare for all concerned when they are hacked.
Sounds like Johnny's needs to find a better web consulting firm or get one if they don't have one.

I use Johnny's quite a bit, too. And have for years.

I've noticed on their site they have a "create an account" feature so when you "come back to re-order in the future" it makes your purchase like a "one-click" feature.

I never selected that option and have to enter my info each order.

I'm just wondering if those of you who got the letter from Johnny's had selected that option and that is why your CC# was available. Would love to hear who used that feature and who didn't. (As for me, I haven't gotten the letter, yet!)

Shoe

I don't use that option either, but got the letter yesterday. They may have sent it to everyone that ordered this year.

Me either Shoe, I've ordered from Johnny's but not this year. I haven't heard anything from them yet. I haven't contacted my credit card company yet, but I do have fraud alert and so far there are no charges I haven't made myself. I wonder if they hold card numbers from season's past. Looks like we all could have had the courtesy of an email alert.

Thanks F-dill.

Course now, I also placed an order with them last week, it was shipped one week ago yesterday and I still haven't rec'd it. I wonder if the hacker rec'd my order and is now planting my seeds, dagnabbit! :>)

Shoe

edited to thank you, Roseone! Good point...a quick email would've been a much quicker route. Or maybe they thought that would freak folks out and they'd start canceling orders or at the very least inundating them with phone calls or return emails?

Shoe


This message was edited Mar 3, 2007 4:45 PM

I e-mailed Johnny's a while back about their domain address...they had two simular ones. That bothered me.

I ordered seeds from Johnny's in January using my credit card. Haven't received any letter from them. Maybe the snail crawls slower from there to out here, eh?

I order by phone and pay with CC. My last order was Dec and no letter. I wonder if they save phone orders ?I guess I will just have to ask.

Maybe they sent snail mail because yhey didn't want people to just delete without reading. If they send letters to 11,000 people this is going to cost them several thousand. What a waste but makes me think I will make the orders ,do the math and send a check. Ernie

Hello All.

I, too, received a letter, and promptly cancelled my CC. No suspicious charges, and a fraud alert already existed on my Credit Bureau sites.

Now. Regarding future business with Johnny's. I concur with Donn:

I got mine as well. I don't use their one click feature but I think they may store the last 4 digits as part of the record of the transaction.

Funny though, from reading the letter, I got the impression that someone physically broke into their premises

BB

The way to circumvent this problem in the future would require a little work, but is "do" able. as far as an invader over the internet. A local "break-in" would be more work to protect against (and more expensive as a security system would be involved) but it is also a can do. I would be interested in seeing actually what they decide to do to protect their future business.

I just received the latest newsletter from Johnny's, which includes the following link to a fact sheet concerning the data compromise:

http://www.johnnyseeds.com/catalog/emails/Web_data_compromise.html

Thanks for the link.

Indy, you said, "I e-mailed Johnny's a while back about their domain address...they had two simular ones. That bothered me." I work in the tech sector and it is common practice for reputable businesses to buy up all the similar sounding or similarly spelled domain names and point them back to their primary website.

Between the hackers and the spammers (who send the company I work for over 6 MILLION spams a month) and the virus and spyware writers, it appears that I will be employed for a very long time... if only these evil people would spend their time focused on ending world hunger, housing the homeless, taking care of our mentally ill, etc. - well, we'd be living in Utopia now. And that would free up a goodly chunk of my department's time and our company could do more business and help out the economy more.

I'm sure Jonny's is mortified and is currently burning the midnight oil to improve their site. It is a pain and inconvenient, but I'm not sure I'd hold it against them that they got hacked. The VA, NASA and CNH Financial have all been hacked, and some bigger credit card companies, too, although they didn't happen to get ccard numbers at the one I am familiar with.

At the moment, the safest "on line transactions" are the ones that make you sign in with a code "word" and a code "picture" and once you see that both of them are correct, THEN you put in your password. They also use "https" in the URL address line instead of "http". But, of course, that could change at any moment. It's like an arms race - you find a better technology, eventually the hackers break it, at which time you hope there's another newer technology...

... people steal checks out of the mail and lift the ink with common household chemicals and do check fraud against your account, too...

am I paranoid? well, it's only paranoia when they AREN'T out to get you...

I have only one ccard I use on line. I watch it daily. I also have "alerts" set up so that if a transaction is over a certain amount, I will get an email saying that a "big charge" has been made on my account. Then I know I can check it out and make sure it is one that I did. I change my password every 30 days. I use "hard" passwords of over 8 characters, includes a number, a capital letter, a character like !@#$% and I don't use "dictionary" words in English or Spanish. I don't use public computers like at the library to check my ccards.

I'm going to continue to patronize Johnny's and hope that this incident doesn't harm too many people or Johnny's themselves.

Great advice kmom. Thanks.