My god, this is true. I just went to the website and wasn't even logged in. I clicked LOGIN and without prompting me for password or anything, it said "Hello Kevin" and I could also see this other persons details.
I just went there (I've never been there before, I've never used this place), and hit the login button. "Welcome back David", along with all his info and his password already typed in, etc.
Damn, I just tried aswell and was able to get into some poor fellow named James' account from Virginia. I tried again and got the account of "DDD Sux".
As a customer of DDD, I have sent them a furious email. Hopefully they take the site down now until the problem is fixed!
Yah, I'm Neil & David so far. OH and get this, now I'm "Hello Compromised by DDD" AND "DDD Sux". I'm sure someone has thought of calling them, but just in case, I'm on hold right now.
OK. They said they are aware of it, couldn't offer an explanation, and are in the process of shutting the site down right now. It seems a lot of people have called, the first thing the lady said when coming on the line was "Thank you for calling DDD, are you calling about the website?"
What's great about that site though, is the integrity of the people running it. They now have the following message there: No, warning that we've been hacked, no "make sure your credit card info hasn't been compromised", simply a misleading statement to those who don't know about it. Seems like a really bone-headed move to me. Which would you trust more? A site that's been hacked and is up-front about it, or a site that tries to hide from their customers the fact that their credit card info might have been stolen. It's not like the other customers aren't going to find out about this, and they're going to be a lot more pissed about being lied to than anything else.
I use a credit card with software that generates a unique credit card number for each online transaction. The number on my credit card is never revealed. You can use a web-based service or install PC software.
Once about a year ago my bank called me telling me they had cancelled and reissued my card with a new number on an advisory.
They would not say WHO it was , but I immediately suspected DDD as they were about the only web site I dealt with on that card.
Of course, that wouldn't be a true statement either from what I can see. From what was described, it sounds far more like a bug than being hacked. That said, I'd hope they'd eventually email people whose accounts were accessed, but I don't know that it's necessary for everyone to be notified.
I'm willing to bet things like this happen to various websites over the course of their being online. Sometimes, such as in this case, we find out about it. Others, I'm sure, we don't find out about and as such, don't worry about.
Without someone posting this info, most people wouldn't be aware of it.
The site itself is a great site. For me, the process of buying it there is quite a good deal cheaper than me driving nearly 40 minutes to the closest store, buying it (usually a dollar or two more than the site, as well as paying tax on top of that extra dollar), etc.
So, price, tax, gas, time all factored in, I usually pay about five dollars more than buying it online. Their customer service has always been top-notch when I've dealt with them, and as such, I've been led to believe they are a good site.
One problem such as this will not lead me to stop buying from them...
Regardless if your account was compromised or not I think DDD should notify all customers about what happened. Every customer has the right to know what happend and to make a decision if they will continue doing business with them.