Jump to content

Records By Mail (not Discogs) Data Breach


Recommended Posts

Discogs, a.k.a. Records By Mail, distributed this earlier today.  I know some of us use their services from time to time so, in case you hadn't heard, you'll be aware of it.  Here's the note from Craig Moere and Tim Zagelow:

1px.png

 
Screen%20Shot%202020-12-28%20at%2010.16.

RBM News

Records by Mail is contacting you to share information about a data security incident that involved your personal information.  We are notifying you so that you are aware of this situation, understand what we are doing in response, and know the resources that can help you if you have questions. We take your privacy seriously and value your trust, so please review this communication and let us know if you have any questions.

 

What Happened

On November 22, 2020, Records By Mail discovered that a bad actor accessed our server and two customer databases on it. The first database with data from 1995 to 2020 contained no credit card information but did contain other customer personal information. The second database with data from 1995 to 2017 did contain encrypted card numbers and passwords for the subset of customers who had dedicated accounts with Records by Mail. In the interest of caution, we are notifying all parties whose personal information, no matter how limited or dated, could be accessed. 

The bad actor was not able to view credit card account numbers or Records By Mail account passwords, because that information was encrypted. However, the data that the bad actor was able to access may have included some combination of your unencrypted name, shipping address, billing address, telephone number, fax number, email address, credit card expiration date, and credit card verification value (CVV) number (but not the associated credit card numbers). We have no reason to believe that the data that the bad actor accessed will be misused in the future.

 

What We Are Doing

Records By Mail is continuing to gather information about the incident and is taking additional steps to protect your data.  We shut down the impacted database and are building a new database that will have added security for customer records. Records by Mail’s existing website remains offline, but we will soon debut a new website with improved security features. In the meantime, Records by Mail will continue to sell through third parties such as eBay, Discogs and Amazon.

 

What You Can Do

While we hope you will not experience any further inconvenience or issues, we recommend that you remain vigilant and immediately report any suspicious activity related to this incident or your accounts to the proper law enforcement authorities in your area.  In addition, you can contact tim@recordsbymail.com or call 503-232-1735 if you have questions.

We value the trust you have placed in Records By Mail and deeply regret any concern this incident may cause.

 

Sincerely,

Craig Moerer

Tim Zagelow

1px.png

RBM News

Screen+Shot+2020-12-28+at+10.16.05+AM.pn

Records by Mail is contacting you to share information about a data security incident that involved your personal information.  We are notifying you so that you are aware of this situation, understand what we are doing in response, and know the resources that can help you if you have questions. We take your privacy seriously and value your trust, so please review this communication and let us know if you have any questions.

What Happened

On November 22, 2020, Records By Mail discovered that a bad actor accessed our server and two customer databases on it. The first database with data from 1995 to 2020 contained no credit card information but did contain other customer personal information. The second database with data from 1995 to 2017 did contain encrypted card numbers and passwords for the subset of customers who had dedicated accounts with Records by Mail. In the interest of caution, we are notifying all parties whose personal information, no matter how limited or dated, could be accessed. 

The bad actor was not able to view credit card account numbers or Records By Mail account passwords, because that information was encrypted. However, the data that the bad actor was able to access may have included some combination of your unencrypted name, shipping address, billing address, telephone number, fax number, email address, credit card expiration date, and credit card verification value (CVV) number (but not the associated credit card numbers). We have no reason to believe that the data that the bad actor accessed will be misused in the future.

What We Are Doing

Records By Mail is continuing to gather information about the incident and is taking additional steps to protect your data.  We shut down the impacted database and are building a new database that will have added security for customer records. Records by Mail’s existing website remains offline, but we will soon debut a new website with improved security features. In the meantime, Records by Mail will continue to sell through third parties such as eBay, Discogs and Amazon.

What You Can Do

While we hope you will not experience any further inconvenience or issues, we recommend that you remain vigilant and immediately report any suspicious activity related to this incident or your accounts to the proper law enforcement authorities in your area.  In addition, you can contact We value the trust you have placed in Records By Mail and deeply regret any concern this incident may cause.

Sincerely,

Craig Moerer

Tim Zagelow

Link to comment
Share on other sites

Wait, what???

Records by Mail IS discogs? How the hell did I not know this, and what is the implication? He doesn't say discogs was hacked, that his mail-order house was. I order thru discogs though usually utilizing paypal way more often than I've ever used RBM, and if my info was on their server, and they actually did reach acct #s, I am practically certain that info was at least one updated card ago.

I really want to know now what company was hacked. 

Link to comment
Share on other sites

RBM sells on Discogs but I can't find anything to suggest they're the same entity.

And as I see it Discogs is a marketplace rather than seller and I can see no reason why they would hold financial details. All transactions are carried out with individual sellers not Discogs per se.

Happy to be proved wrong by someone more knowledgeable.

Link to comment
Share on other sites

5 hours ago, mjazzg said:

RBM sells on Discogs but I can't find anything to suggest they're the same entity.

And as I see it Discogs is a marketplace rather than seller and I can see no reason why they would hold financial details. All transactions are carried out with individual sellers not Discogs per se.

Happy to be proved wrong by someone more knowledgeable.

Correct, Discogs is a marketplace that holds no financial details. The transactions are done directly with the sellers, not Discogs. The title of this thread is incorrect and misleading.

Note that Discogs is mentioned as a "third party" in Records By Mail's message ("What we are doing"), and that's exactly what it is.

 

-edit-  Just noticed that the originally incorrect thread title has been edited.

Edited by J.A.W.
Link to comment
Share on other sites

49 minutes ago, mjazzg said:

 

And as I see it Discogs is a marketplace rather than seller and I can see no reason why they would hold financial details. All transactions are carried out with individual sellers not Discogs per se.

 

Is this really true currently? Because I see options to use a c/c directly and sometimes options for paypal only.  I thought the c/c payment was a pass thru from discogs to seller, an option sellers can choose? I'll be happy to know if that is not the case but how does discogs get paid otherwise?  Rely on sellers to "give back" their fee at the end of every month??

Link to comment
Share on other sites

11 minutes ago, Dan Gould said:

Is this really true currently? Because I see options to use a c/c directly and sometimes options for paypal only.  I thought the c/c payment was a pass thru from discogs to seller, an option sellers can choose? I'll be happy to know if that is not the case but how does discogs get paid otherwise?  Rely on sellers to "give back" their fee at the end of every month??

Again, it's Records By Mail that was affected, not Discogs; they're two separate entities. I don't think Records By Mail is giving their customers' financial details to Discogs. People are buying stuff from RBM that was advertised on Discogs and are dealing directly with RBM. Unlike Amazon Discogs is not involved in the financial handling of the sale other than taking a fee from the seller.

Edited by J.A.W.
Link to comment
Share on other sites

Indeed ... J.A.W. says.
As for "Records by Mail aka Discogs", the secondhand record shop my son works at as a side job at his university town is quite active on Discogs. But they MOST DEFINITELY are not a subbranch of RBM (which they would have to be if "Records by Mail aka Discogs" were true by any stretch of the imagination. And this is just ONE tiny example of shops selling on Discogs without having any connections with RBM.

What RBM ought to tell, though, is their eBay account (and the data collected via eBay transactions) affected too? Because RBM do not mention Discogs in any way that is different from eBay in their statement. Or the other way round, the thread should really be about RBM only, not Discogs.

Link to comment
Share on other sites

1 hour ago, J.A.W. said:

Again, it's Records By Mail that was affected, not Discogs; they're two separate entities. I don't think Records By Mail is giving their customers' financial details to Discogs. People are buying stuff from RBM that was advertised on Discogs and are dealing directly with RBM. Unlike Amazon Discogs is not involved in the financial handling of the sale other than taking a fee from the seller.

I understood Discogs is not effected and that Dave James must have been misinformed.

 My concern was the payment system used by discogs.  I assumed that they at least operate the direct credit card payment system as its on their website and available for use in lieu of paypal. But you are saying they only get paid by seller post-sale. I guess that works to make sure you get your cut - if you don't they lose that major avenue for sales.

Link to comment
Share on other sites

I find all this a little more than ironic because, a few months ago, the following started appearing whenever I'd go to Discogs:

We Care About Your Privacy

We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below, including your right to object where legitimate interest is used, or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.

We and our partners process data to provide:

Actively scan device characteristics for identification. Use precise geolocation data. Store and/or access information on a device. Create a personalised content profile. Select personalised content. Apply market research to generate audience insights. Measure content performance. Develop and improve products. Create a personalised ads profile. Select basic ads. Select personalised ads. Measure ad performance. Personalised ads, and ad measurement.

This sounded so creepy that I never accepted their terms, and I stopped using Discogs for research.  It's pretty disingenuous that they start by saying "We Care About Your Privacy," and then enumerate all the ways they take your personal information and share it with "our partners," whoever they might be.

Link to comment
Share on other sites

9 minutes ago, mjzee said:

I find all this a little more than ironic because, a few months ago, the following started appearing whenever I'd go to Discogs:

We Care About Your Privacy

We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below, including your right to object where legitimate interest is used, or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.

We and our partners process data to provide:

Actively scan device characteristics for identification. Use precise geolocation data. Store and/or access information on a device. Create a personalised content profile. Select personalised content. Apply market research to generate audience insights. Measure content performance. Develop and improve products. Create a personalised ads profile. Select basic ads. Select personalised ads. Measure ad performance. Personalised ads, and ad measurement.

This sounded so creepy that I never accepted their terms, and I stopped using Discogs for research.  It's pretty disingenuous that they start by saying "We Care About Your Privacy," and then enumerate all the ways they take your personal information and share it with "our partners," whoever they might be.

These are standard privacy terms on most of the websites. In the EU all the websites have to provide a clear disclaimer of this type - and give you an option to opt out (however cumbersome it might be in reality) - as per GDPR. In the US they did not have to do it, as far as I understand. Maybe they do now. Just because you don't have such a pop-up whenever you login on any other website, it does not mean their privacy terms are any better. If you are curious, look for Privacy Policy on any website you visit - a lot of fun stuff there.  

Link to comment
Share on other sites

Yes, I work with these matters in my daily job, and you've got to assume that any online vendor that is not just a one-man business with a storefront is as intrusive (or worse) in the way they monitor your online behavior. 

Edited by Daniel A
Link to comment
Share on other sites

10 minutes ago, Dave James said:

Sorry if I rang an unnecessary bell, but the fact that Craig Moerer runs both Discogs and Records By Mail, I thought the message was a advisement about both entities.  See below:

https://www.discogs.com/user/recordsbymail

What does this have to do with running discogs???

You seem to be asserting facts not in evidence and then doubling down with out anything to back it up.

Link to comment
Share on other sites

23 minutes ago, Dave James said:

Sorry if I rang an unnecessary bell, but the fact that Craig Moerer runs both Discogs and Records By Mail, I thought the message was a advisement about both entities.  See below:

https://www.discogs.com/user/recordsbymail

The fact that Moerer posted that RBM message on Discogs doesn't necessarily mean he runs them both. Anyone can join Discogs and then post a message there. There's no evidence whatsoever Moerer runs them both.

Moerer is not included in the team that runs Discogs, nor did he found it.

Discogs team

Discogs' story (scroll down)

In short: Moerer is selling records on Discogs, but he's not running it.

Edited by J.A.W.
Link to comment
Share on other sites

1 hour ago, Dan Gould said:

What does this have to do with running discogs???

You seem to be asserting facts not in evidence and then doubling down with out anything to back it up.

Sorry if I made a mistake by letting people know about this.  You've always been a prick. Thanks for confirming it.

Link to comment
Share on other sites

3 minutes ago, Dave James said:

Sorry if I made a mistake by letting people know about this.  You've always been a prick. Thanks for confirming it.

You messed up the message by extending it to include discogs, by implication.

Your assertion about Moerer and discogs has no basis in fact.

A normal human being would say, "whoops fellas, sorry for connecting him to discogs. Guess I was wrong."

But no, you double down on your assertion with zero evidence behind it again.

And I'm the prick in this.

Yeah right.

Link to comment
Share on other sites

12 minutes ago, Dave James said:

Sorry if I made a mistake by letting people know about this.  

What is it, exactly that you think you're letting people "know about"?

I edited the title of this thread because facts matter. So unless you have proof that Craig Mohrer and Discogs are the same thing, you are spreading false information through social media.

Ain't gonna happen here.

Link to comment
Share on other sites

1 hour ago, Dave James said:

Sorry if I made a mistake by letting people know about this.  You've always been a prick. Thanks for confirming it.

You saw someone post a message on a marketplace site, assumed he ran the site and posted your assumption here as a fact without evidence to back it up, and now you're calling someone else names because he questioned your false information? Reminds me of someone in high office...

Edited by J.A.W.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...