Dear Elite CX Solutions Evaluator,

It has come to our attention that one of the industry’s software platform providers, Prism Intelligence (formerly iSecretShop), was recently the subject of a data breach attack.
After further investigation and analysis, we conclude that Elite CX Solutions’ systems were not targeted by this attack.

However, in keeping with our principles of transparency and maximizing security awareness in the industry, we wish to inform you of the details of this attack, what steps we have taken, and next steps you should take.

Summary
Last week, attackers targeted the Prism Intelligence system. The attackers appeared to use a database in their possession containing usernames/emails/passwords with a credential stuffing attack. They would attempt to use their list of usernames/emails/passwords to log in to the Prism Intelligence system as a shopper, and if successful and the shopper had pay pending, would change the shopper’s PayPal email address to one that was controlled by the attackers. The end result would be that any payments due to the shopper would instead be routed to the attackers. While there were a number of shoppers’ credentials used to log in, reports are that only a very small number in the Prism Intelligence system had their PayPal email addresses changed.

Details
Prism Intelligence notified the MSPA of this attack, who promptly notified the member companies in the association. Upon hearing of this attack, our partner Research Metrics’ global security and infrastructure teams collaborated with Prism Intelligence regarding technical details. The teams then performed an intensive investigation and analysis of user activity to determine if our platforms had been targeted. After reviewing all logins and profile “change” activity, we saw no data to indicate that we had been targeted by such an attack.

Concerns / Next Steps
Of key concern is the fact that the attackers had a previously-obtained database of unprotected “plaintext” shopper usernames/emails/passwords. While it is uncertain as to when this database was obtained by the attackers, it was likely obtained from a company involved in the industry. However, we do not believe that this database was obtained from Research Metrics’ or Elite CX Solutions’ platforms for two reasons: (1) many of the email addresses that were used in the attack do not exist in our platforms, and (2) all passwords in Research Metrics’/Elite CX Solutions’ platforms are stored using the best practices of a one-way, unique salted hash – there is no way to “pull a list” of passwords, even by Research Metrics or Elite CX Solutions staff. Prism Intelligence also believes that the compromised database used for the attack was not obtained from them or from a Research Metrics/Elite CX Solutions platform.

For the reasons outlined above, we strongly urge you to Change your login credentials on all platforms and companies that you are registered with to ensure you are protected:

As a leader in the mystery shopping industry, vigilance is a core principle of our security posture. We strongly urge you, as an evaluator, to perform the above steps. We will keep you informed of any additional information we learn about regarding this attack and welcome any questions or feedback you have for us.

The Elite CX Solutions Team

Greetings Flyy1220,

My name is Andrew Walker. I am the Chief Operating Officer of Prism Intelligence (which owns iSecretShop).

First and foremost, I wanted to thank you for doing your part to help protect the community. We share the belief that an important component of keeping our industry (and the community) secure and thriving is healthy and open communication.

With that in mind, I would like to formally request that you either change the title of this post, or if that is not possible, please remove this post and create a new one with a different title. The term "data breach" does not apply to the situation. We are getting a lot of inquires from (understandably) concerned shoppers who saw this and are worried their information was taken from iSS. This is not the situation. Someone stole a huge number of unsecured usernames and passwords from somewhere - not iSS (either within the industry or from one of the large breaches we've been seeing on the news) and is trying to use them all over the place.

iSS caught the attempt. We immediately contacted all potentially-affected iSecretShop shoppers (so if any are reading this and have not heard from us, it is because you were not affected). And we worked with the MSPA immediately upon discovering (and successfully thwarting) the security incident as we wanted to help ensure everyone was alerted to the potential problem.

Please change the title to remove the term "data breach," PLEASE encourage everyone out there to make sure their passwords are secure (and unique to each website they use), and Flyy1220 please let me know if you have any questions or concerns whatsoever.

We are all in this together. Thank you again.

With Respect,

Andrew Walker
Chief Operating Officer
Prism Intelligence/iSecretShop

Andrew Walker,

I am not trying to be argumentative, but I have to ask: What term besides "data breech" is appropriate?

The notification that many of us got about the situation referred to it as a "data breech," so the OP is simply using the same terminology given to him/her by an MSC. Second, by definition, is not the theft of a large number of usernames and passwords a "data breech"? I am confused by your request to change terminology.

I recognize that you are stating that the theft was not made through the iSS platform and I can certainly understand your desire to not have the statement floating about that there was a data breech within Prism Intelligence. However, there was a breech somewhere, was there not?

I thank you in advance for any clarifications that you can make.

I found out the information I needed.

Edited 2 time(s). Last edit at 03/27/2019 01:55PM by breestjon.

This is really weird. I just received this exact email and tried to log in to isecret shop and I cant. I have not done any assignments in a while for isecret shop, but would still like to log in and check my account and my email. What is going on? Is anyone else having trouble logging in?

I got the letter and I switched my password. I hardly ever use that platform.

Edited 1 time(s). Last edit at 03/26/2019 05:58PM by breestjon.

OP I agree. While technically this was data theft not a data breach, lay people understand the term "data breach" and are more likely to respond appropriately.

Hello MFJohnston!

I do not believe you are being argumentative at all - and your overall understanding of things is correct. There certainly was a data breach somewhere, at some time. No question. The post title however, suggests that iSecretShop was breached, which is incorrect - and is sending the wrong message, as we now have shoppers contacting us concerned that we were breached and referencing boh this post and/or the letter that our friends at Research Metrics (Shopmetrics) wrote. The one above, from Elite CX Solutions, was penned by Research Metrics.

We alerted every shopper in iSS whose profile was attempted - and alerted everyone in the industry we could - including the MSPA and the other software platforms, and asked them all to be on alert and to ask their shoppers to be attentive to password security.

Thank you for your excellent questions.

Edited 1 time(s). Last edit at 03/26/2019 07:49PM by Prism Intelligence.

Breestjon, I am so glad you posted this! NO ONE from iSecretShop or Prism Intelligence contacted you via Linked in.

That is a fraud attempt. They claim to represent us (or another business in the industry). It is a scam. They will try and send you stolen or counterfeit checks and ask you to negotiate them, sending them back most of the money, and letting you 'keep' some for yourself. Do not fall for this.

Thank you for the opportunity to address it here.

Edited 1 time(s). Last edit at 03/26/2019 07:49PM by Prism Intelligence.

I got the same message, is this true or is this another scam, I got this from Marguerite Turner. I also saw a lot less shops on iSecretshop than usual, I only do about 2 shops a month for them. Please explain cause this is concerning.


Marguerite Turner <mturner@elitecxs.com>
9:32 AM (4 hours ago)
to me

Dear Elite CX Solutions Evaluator,

It has come to our attention that one of the industry’s software platform providers, Prism Intelligence (formerly iSecretShop), was recently the subject of a data breach attack.
After further investigation and analysis, we conclude that Elite CX Solutions’ systems were not targeted by this attack.

However, in keeping with our principles of transparency and maximizing security awareness in the industry, we wish to inform you of the details of this attack, what steps we have taken, and next steps you should take.

Summary
Last week, attackers targeted the Prism Intelligence system. The attackers appeared to use a database in their possession containing usernames/emails/passwords with a credential stuffing attack. They would attempt to use their list of usernames/emails/passwords to log in to the Prism Intelligence system as a shopper, and if successful and the shopper had pay pending, would change the shopper’s PayPal email address to one that was controlled by the attackers. The end result would be that any payments due to the shopper would instead be routed to the attackers. While there were a number of shoppers’ credentials used to log in, reports are that only a very small number in the Prism Intelligence system had their PayPal email addresses changed.

Details
Prism Intelligence notified the MSPA of this attack, who promptly notified the member companies in the association. Upon hearing of this attack, our partner Research Metrics’ global security and infrastructure teams collaborated with Prism Intelligence regarding technical details. The teams then performed an intensive investigation and analysis of user activity to determine if our platforms had been targeted. After reviewing all logins and profile “change” activity, we saw no data to indicate that we had been targeted by such an attack.

Concerns / Next Steps
Of key concern is the fact that the attackers had a previously-obtained database of unprotected “plaintext” shopper usernames/emails/passwords. While it is uncertain as to when this database was obtained by the attackers, it was likely obtained from a company involved in the industry. However, we do not believe that this database was obtained from Research Metrics’ or Elite CX Solutions’ platforms for two reasons: (1) many of the email addresses that were used in the attack do not exist in our platforms, and (2) all passwords in Research Metrics’/Elite CX Solutions’ platforms are stored using the best practices of a one-way, unique salted hash – there is no way to “pull a list” of passwords, even by Research Metrics or Elite CX Solutions staff. Prism Intelligence also believes that the compromised database used for the attack was not obtained from them or from a Research Metrics/Elite CX Solutions platform.

For the reasons outlined above, we strongly urge you to Change your login credentials on all platforms and companies that you are registered with to ensure you are protected:

As a leader in the mystery shopping industry, vigilance is a core principle of our security posture. We strongly urge you, as an evaluator, to perform the above steps. We will keep you informed of any additional information we learn about regarding this attack and welcome any questions or feedback you have for us.

The Elite CX Solutions Team

ATTENTION: For your convenience this email contains links that allow you to log onto your account without entering username and password. DO NOT send or forward this email to another person because he/she will get access to these links and may gain access to your account. If you suspect that someone has gained access to this email, please, change your password immediately. Changing your password will deactivate all links in this email.


Don''t miss a single notification e-mail! Remember to add Notifications@EliteCXS.com to your address book for uninterrupted delivery.

Attention: Shopper Relations

Hello stormraven73 - and thank you for commenting!

It depends on what incident you are referring to. If you are referring to the original incident that resulted in some scammer possessing a whole bunch of email/password combinations, then technically it was BOTH a data breach AND a data theft. Because they breached some unsecured system and stole all the usernames and passwords.

If you are referring to these same scammers attempting to use those stolen usernames and passwords to try and see if any of them would unlock an iSS user's profile, then there was neither a breach nor a theft. That is what I was hoping OP would clarify. The title reads as if iSS was breached. And your comment makes it sound like there was also a theft. Both of which are true if you are referring to some system somewhere being hacked and burgled by someone. Neither of which are true if you are referring to the recent attempt to access iSS.

I hope this helps clarify and wish you a great day!

I'm interested to know if there are any ideas where the data breach actually occurred. It's very possible there are userid/password combinations out there that were not used to attempt to login to ISS. So even if we weren't notified our information could still be out there.

This first came to light the other day and there is another thread here about this. Someone out there has a stolen MSC database. It was not stolen from ISS. We don't know where it came from. Therefore you must change all your MSC passwords if you want to ensure that you change the one that was stolen. That will not solve the whole problem - if you are signed up with whichever company was hacked your information is out there - but it will keep your payments from being diverted to the wrong PP account.

That did not answer the question I asked. I am aware of all of those things. But if the data breach came from Panama Shopping Services and I'm not signed up with them then I have nothing to worry about.

I was making a general post, not responding to yours. No, there's nothing to worry about if you're not signed up with whoever was breached. Since we don't know who was breached I've changed all my MSC passwords. Others can do the same or not. With any luck it's overkill.

@bgriffin wrote:

That did not answer the question I asked. I am aware of all of those things. But if the data breach came from Panama Shopping Services and I'm not signed up with them then I have nothing to worry about.

I haven't logged on to ISS in years, but I do remember many companies that I was shopping for "moving" their platform over to iSecretShop. I wouldn't be surprised if someone has been hanging on to a list that came from one of those companies' original platforms. It actually would make sense considering the incident seems to be limited to iSecretShop and the fact that many of the emails attempted aren't registered. I would assume that an inactive shopper would not have registered whenever said MSC switched over to ISS.

The Federal Mystery Shopping Company Regulatory Commission will come down hard on these Mystery Shopping Companies if they do not use due diligence to protect our personal information! We got nobody watching our backs folks deal with it.

Federal Mystery Shopping Company Regulatory Commission? I have never heard of that.

@Msaddict wrote:

Federal Mystery Shopping Company Regulatory Commission? I have never heard of that.

They are so secret nobody has ever even heard of them . Even google has never heard of them.

Did I miss a joke somewhere?

@Sobrokeigot2dothis wrote:

@Msaddict wrote:

Federal Mystery Shopping Company Regulatory Commission? I have never heard of that.

They are so secret nobody has ever even heard of them . Even google has never heard of them.

I quoted the wrong thing.

Edited 1 time(s). Last edit at 03/27/2019 01:50PM by breestjon.

Yes it was a joke. The point is there is nobody watching over these mystery shopping companies. Nobody! They are running rogue. Nobody is making these companies protect our personal information. We are on our own, We are gambling doing business with many of these companies and when you gamble there are risks involved.

Oh. OK. Got it. I was reading the forum too late at night I guess. Unfortunately, data breach can happen with any industry. I've had my credit card number stolen twice. Thankfully I caught it right away.

Does anyone know which MSC was compromised in the first place? Yesterday was the first I have heard of any of this.

Looks like the Russians are at it once again. The Federal Mystery Shopping Company Regulatory Commission needs to be on the case ASAP.

Do you think anyone is ever going to tell us which company was hacked?

Good question. Why the big hush-hush?? It's OUR information....so they need to let us know which MSC got hacked.

They may not know who was hacked. Hackers often hold on to information for years before they are used. Like I said before, the MSC that was hacked could have been hacked long before they were on the iSecretShop platform. It could also be an MSC no longer in business.

Or it could be they are not wanting to tell us.

I had changed my password and successfully logged in. Today it says my information is incorrect. And I can't login. I changed the password two more times and even with a new password the information is still incorrect, anybody else?