Has Your Best Buy Account Been Hacked?

Have phantom orders been placed using your Best Buy website account that you had nothing to do with? Since the wee hours of this morning, we’ve heard from two separate readers who write that their accounts and credit cards were used to order downloadable content that was delivered to another person’s email address. And if posts on the Best Buy user forums are any indication, they’re far from alone.

H. wrote in first, telling us that three separate orders were placed on her account.



Just discovered today that someone had hacked my Best Buy account which I hadn’t used in over a year, and has been using my account to purchase downloadable content and is sending it to an email address different from the one I used for my account. I was never sent an order confirmation for the first transaction, but fortunately, I did receive a confirmation for the second and third, which tipped me off to the activity so I was able to contact the Fraud dept. After I called Best Buy’s fraud department and filed a report with my local police, I discovered that this is happening to Best Buy customers all over the country.

Amy, too, hadn’t shopped at Best Buy in quite a while, so she was surprised to see an order confirmation in her e-mail. The order was canceled a short time later, but

I recently had a run in with Best Buy. After the x-mas 2011 debacle I have steered clear of shopping there, and spend my money at other stores. On May 1st I received an email saying my order for a $50 PlayStation Network Code had been placed. I was surprised as I had not ordered this. I had another email from a few hours later saying the order had been canceled as they were unable to verify my information.

As I was concerned about fraud I called Best Buy customer service to try and get some help figuring out how this order had been placed. After a long wait time I finally spoke to a cust serv rep. He had a hard time understanding what I was saying when I told him there was an order on my account that I had not placed. He then told me that it could not be fraud because I had placed the order. I told him again I had not placed it. He suggested my child(ren) might have placed it while playing a game. I assured him my child(ren) did not place an order as the PlayStation had not been turned on at all that day, and no one had the password to my account. I asked to speak to the fraud department, and was told they do not have a fraud dept phone number or contact person for customers. In frustration I searched the Best Buy website for help. I stumbled upon the discussion boards, read about people having similar issues, and posted my request for help there.

Here is the link to my thread.

You might also want to check this thread:

When the “mod” finally replied to my request for help it was to tell me to go back to my bank and the local authorities (neither will help – my bank wont care as the funds weren’t withdrawn, and what is my local police department going to do about an issue with an Internet store’s information breach?) I was also told the “appropriate parties” had been notified of the situation. What does that mean?

He said that Best Buy phone and email support teams do not have the ability to investigate individual charges. My follow up request to be contacted by someone from the fraud dept, and my questions about why so many Best Buy customers are having the same issue have been ignored. Other customers are posting their same issues onto my thread.

If anyone else out there has experienced something similar, please let us know. Editors are standing by.

Comments

Edit Your Comment

  1. dragonfire81 says:

    I suspect a Best Buy employee (or employees) with access to the account info may be the cause of this.

    • homehome says:

      And you base this on what?

      • Blueskylaw says:

        Common Sense? It’s what you would expect from Best Buy?

        • homehome says:

          Are you sure you’re not confusing common sense with blind bias lol, considering you have no facts. Personally, I have had no problems with BB, so no I would not expect it.

          • Blueskylaw says:

            We are to admit no more causes of natural things than such
            as are both true and sufficient to explain their appearances.

            In other words, the simpler explanation is probably the correct one.

            • homehome says:

              Actually the simpler explanation is that somebody hacked their account and BB had nothing to do with it, you blaming BB is the more complicated explanation. Plus since I actually worked at BB before, they can’t just pull CC #s like that especially since they said they hadn’t used the card in over a year, the only time an employee in store sees a CC # is when the actual card is there. And only the ones with higher level access (which few ppl have and it’s not store employees for sure) managed to steal their account and the only thing they use it for is DLC on their card? That doesn’t even make sense. Someone that high up makes at least 60K, more than like 6 figures and they’re going to use it to buy DLC which probably costed 20 to 25 a pop? Come on think about that for a second and use your REAL common sense.

  2. polishhillbilly says:

    No, I don’t shop or even set foot into a best buy.

  3. Coyote says:

    Probably the usual combination of weak passwords and passwords shared with other compromised services.

    BB employees don’t have the kind of account access they would need to make purchases.

    If you’re concerned, don’t save a credit card on the account.

    • BurtReynolds says:

      Weak passwords is partly BB’s doing. I just logged into my long dormant BB account to check the account and reset my PW. I usually use upper and lower case, numbers, and a symbol. Preferably a space too but most sites don’t allow that.

      Surprise, surprise, but Best Buy kept kicking back my password saying you can’t use a space. Never mind that I wasn’t trying to use a space, just something like this aBcd1234$. I eventually had to make a new password that was just lower case and numbers. That is real secure. Of course some CC companies aren’t any better.

      • Coyote says:

        They probably do some genius move of replacing “nasty” characters like single quotes with spaces instead of properly SQL-escaping them.

      • Princess Beech loves a warm cup of treason every morning says:

        I agree. I’ve been in Corporate and the same goes for corporate passwords. They don’t accept complex passwords for some reason which is exasperating.

  4. Blueskylaw says:

    “Has Your Best Buy Account Been Hacked?”

    Most likely it has been, but it seems the hackers do it just so
    they won’t have to open their own account before going to Amazon.

  5. easymacfu says:

    They’re telling me my e-mail address doesn’t exist, even though I know 100% that I have an account on best buy.

    • castlecraver says:

      I have a Reward Zone account but not a BestBuy.com account. Perhaps this is what you’re thinking of?

  6. philpm says:

    Just checked mine and no activity on it.

  7. citking says:

    One of my wife’s coworkers just had this happen to her last Monday. Someone went into her Best Buy account and drained her checking account making fraudulent purchases. She was able to go to her local credit union and get the charges reversed but she has no idea how her account was accessed.

  8. brownieandvanilla says:

    I also got hacked on the 11th, same thing one PSN card ($50), one iTunes ($50) and one for ($100), the last one got cancelled (Thank God), all emailed to a yahoo email, if I hadn’t bought a couple of happy nappers from best buy I would’ve never found out until I got my cc statement (I never ever got an email confirming the buy or nothing)

    I called customer service, I don’t know if being a premier silver makes a difference, but both representatives were helpful and apologized, gave me a case number and said they would send it to the fraud dpt. and hopefully get my money refunded, she also went ahead and did a reset on my acct. to erase all credit cards.

    I inmediately called my cc company and cancelled that, logged my reward zone tried to make a password change and the site got weird on me, and didn’t let me but I changed it, I just don’t know to what, since it doesnt let me log in with old info, so something changed.

    I don’t know what happened but I hope best buy realizes that something is wrong, and fixes it before more people get screwed.

  9. Pete the Geek says:

    After reading those links and the BestBuy forum staff responses, it appears there is no way to directly contact the BestBuy fraud department (or perhaps they don’t have one) and the only way BestBuy will start an investigation into a possible breach of their online purchasing system is if each victim reports the matter to their local police AND if the local police initiate contact with BestBuy about the case.

  10. CornwallBlank says:

    I’ve just finished reading through all the comments on the Best Buy forums.

    It very much appears that a class breach is in progress: these are not isolated events. The methodology being used is nearly the same in all of them, and is clearly designed to focus on virtual goods instead of physical ones (thus removing the need for the perpetrators to be physically present at any Best Buy location and thus decreasing the probability they’ll be caught). What’s not clear is whether those behind this actually have the credit card numbers or not; they might, or they might have found a way to just use them (without knowing them) via the Best Buy’s website’s backend ordering mechanism. My surmise is that the perpetrators intend to resell these goods (given the nature and amount of what they’re ordering) thereby sticking a second set of victims with stolen and likely unusable goods while ending up with their cash.

    However, it is clear that (a) Best Buy’s secure processes are badly broken: see the numerous references to email addresses that aren’t exact matches for existing/known ones as well as the lack of a clear, accessible, usable fraud reporting mechanism and (b) Best Buy is stalling, denying, obfuscating, etc. in order to avoid admitting to its customers that a significant security incident is happening. An open question is whether Best Buy has taken the initiative to search its transaction history and flag all similar purchases for review — which would be, to say the least, prudent at this point.

  11. lvdave says:

    Maybe its just me, but I’d swear that ANYbody with any sense who has read Consumerist for ANY length of time, KNOWS you DO NOT have anything to do with BestBuy… If you violate that rule, you’re just asking for this kind of utter incompetance..

  12. Bane of Corporations says:

    Don’t worry, I’m sure Best Buy is taking it very seriously.

  13. chaz_u4ea says:

    My account got hit as well. Clearly the security for accounts is lacking. The order in my case included a inexensive item shipped to my home and downloadable iTunes gift card. Best Buy Consumer Relations was helpful but would not share details about the email address entered to receive the downloadable content. I was advised to file a police report (not sure what the local law enforcement can do) and fax them the report.

    The rep I spoke to indicated that multiple retailers were hit so clearly a third party provider is involved.