P2021-ND-324

iHerb Inc.

The Organization experienced a breach that resulted in compromised user accounts. The Organization?s notice to affected individuals said that ??beginning in mid-October 2020, an unauthorized party used the login credentials (i.e., email and password) of certain of our customers to access their ? accounts. Based on our investigation, the compromised credentials appear to have been taken from third parties independent of [the Organization] and were not obtained as a result of a compromise of our systems. The unauthorized party may have used these stolen credentials to purchase? products with your existing Rewards credits or your stored payment card.? The Organization reported that the unauthorized party used the login credentials of 3 customers in Alberta to access their online accounts between January 14, 2021 and February 1, 2021. Of the three affected Alberta customers, the unauthorized parties used two customer accounts to engage in activity on the Organization?s website that fraudulently generated new Rewards credits that were added to the relevant accounts. These new Rewards credits were used to purchase the Organization?s products on only one customer account.

File Type: pdf
Categories: 2021
Tags: Unauthorized access