January 10, 2025

(This information has been or will be sent by email to all Dry Eye Shop customers for whom notification of data breach is required by law in the circumstances.)

Highlights

• No credit card information or passwords were involved
  
• Data exposed was limited to name, address, email and phone
• NO customer data was downloaded or exported by the offending party, according to the company whose software was compromised in this breach
• The purse of the breach was not theft of customer information (rather, postage theft)

What happened

Unknown individuals obtained access to our shipping system for brief intervals over a 3-day period after hours and on a weekend at the end of December. They did this for the sole purpose of purchasing large amounts of postage labels using our USPS account. 

They hacked in, they processed shipping labels, and they got out. They never touched our customer data.

What information was involved

Information types potentially exposed

Our shipping system is for internal use only. It contains customer names, addresses, phone numbers and email addresses.  NO customer credit card information or passwords ever pass into our shipping system. 

The hackers did not access customer data

The security team handling the aftermath of this breach at the shipping software company were able to assure us after investigating that no data of any kind, including customer data, was downloaded or exported from our shipping account.

There was no evidence that the hackers were interested in any customer data. They were adamant that the purpose of the breach was to penetrate our postal account, not to obtain customer data. It seems that this hacking followed the exact pattern of other recent hackings so the security team were very familiar with every detail of what was done.

What we are doing

We requested the software company to lock down our shipping account entirely on December 29.

During the week of December 30, we waited for the software company to investigate the extent of the breach and advise on potential impact. We also took steps to verify security status of computers used by our team, and to review the security features of all of our software.

Meantime, we temporarily processed all shipping labels manually either through our sales system (for USPS labels) or Fedex.com (for Fedex labels).

We explored alternative shipping software to compare both security features and features that would allow us to replicate the services we had. In the end, it became clear that our best option was to continue with the same company but with a completely new account that included authentication features which had not been previously offered to us but were accelerated due to the breach we experienced. We rebuilt all our customizations in the new account and began using it on Monday January 6.

We will continue to review our software portfolio to eliminate any potential vulnerabilities. 

What you need to do

We do not have advice specific to this breach, since to the best of our knowledge data theft did not occur and no credit card information was exposed or involved in any way.

However, we strongly recommend taking this opportunity to increase your security consciousness! Some resources:

• haveibeenpwned.com, where you can find out if your email address is in a data breach

• FTC advice on phishing scams
• Tips from Microsoft about leaked email addresses

For more information