The Silicon Valley-backed nutrition upstart specializing in butter-infused coffee says evil code injected into its website was covertly gulping customers’ payment card details for months.
Bulletproof 360 Inc., purveyors of the fatty coffee touted as a wonder-treatment for mental clarity and weight loss, admitted that from May 20 to October 19 of this year – minus one day on October 14 – hackers slurped sensitive personal information hipsters entered when purchasing stuff online.
The sipped info included bank card numbers, expiration dates, and security codes (CVV), as well as names, postal addresses, and email addresses.
The blunder, discovered mid-October, was disclosed on Monday this week to California officials, as per the US state’s security breach notification laws.
“In mid-October 2017, Bulletproof identified unauthorized computer code that had been added to the software that operates the checkout page at www.bulletproof.com,” Bulletproof said in its mea culpa notification letter [PDF] to customers.
“When we discovered the unauthorized code, we immediately removed it and began an investigation. We have been working with leading computer security firms to examine our systems.”
Bulletproof said it is “working diligently” to shore up its web systems after its security went to pot, and has vowed to prevent future similar attacks. A spokesperson was not available for comment to explain further.
As is usually the case with these sort of cockups, Bulletproof is advising its caffeine addicts to keep a close eye on their bank statements for any unauthorized charges brewing. The outfit said it will cover any costs associated with reimbursing fraudulent charges.
The network security breach is particularly grinding for Bulletproof given its tech pedigree and the firm’s particular appeal in Silicon Valley.
CEO Dave Asprey started the organization after stints at NetScaler, BlueCoat, and Trend Micro where he served as veep of cloud security. Bulletproof got into the public spotlight on the back of endorsements from VC and startup execs in the tech world. That the upstart not only lost credit card data, but did so due to a security lapse on its website, is a bad look, to say the least.