Gyft Notifies Affected Users of Security Incident

MOUNTAIN VIEW, Calif.–(BUSINESS WIRE)–In an ongoing effort to protect the accounts and account information of
its users, Gyft is notifying users who may have been affected by a
security incident. Gyft is continuing to investigate the incident and
will take all appropriate steps to protect Gyft users. This Media Notice
is being issued to assist Gyft users and to comply with required notice
obligations.

Beginning on October 3 and continuing through December 18, 2015, an
unknown party accessed without authorization two cloud providers used by
Gyft. This party was able to view or download certain Gyft user
information stored with these cloud providers and made a file containing
some of that user information. As soon as Gyft learned about the
exposure, Gyft began investigating how this user information was
accessed and what risks this potentially posed to Gyft customers.
Fortunately, Gyft has not discovered evidence that anyone used the
information potentially compromised in this incident to access Gyft
accounts, make unauthorized purchases, or otherwise use the information
improperly.

The information potentially accessed from the cloud providers included
names, contact information, dates of birth, and gift card numbers. Gift
card numbers could have been used to make unauthorized purchases. In
addition, Gyft log-in credentials may have been compromised. An
unauthorized party who acquired credentials could have accessed a Gyft
account and used any gift cards in the account with unused balances,
reward points or a Coinbase-enabled account to purchase additional gift
cards.

Importantly, no credit cards stored in Gyft accounts were compromised.
Full credit card numbers are not visible in Gyft accounts and all credit
card purchases on Gyft require entering the card’s security code, which
was not part of the information that may have been compromised.

Shortly after discovering this issue, Gyft acted to prevent unauthorized
access by requiring users whose passwords were potentially compromised
to reset their passwords, and logging out other affected users. The
affected users who have not already changed passwords will be required
to choose a new password the next time they log in.

Gyft recommends that users change their passwords for any online
accounts where the same password was used for a Gyft account. In
addition, if a user has a Coinbase account linked to a Gyft account,
Gyft recommends that the user review any Coinbase transactions beginning
in October 2015, because a linked Coinbase account could have been used
to make purchases within a Gyft account. Users should also monitor any
gift cards that were in their Gyft account before January 8, 2016.

The information potentially compromised in this incident does not affect
users’ credit, but any Gyft user can obtain additional information about
identity theft from the Federal Trade Commission by contacting them at:

• www.consumer.ftc.gov
• 1-877-ID-THEFT (877-438-4338), or
• Identity Theft Clearinghouse
  600 Pennsylvania Ave., NW
  Washington,
  DC 20580.

In addition, consumers can contact the consumer reporting agencies, for
information about placing a fraud alert or security freeze, at:

• Equifax: 1-800-525-6285; www.equifax.com;
  P.O. Box 740241, Atlanta, GA 30374-0241
• Experian: 1-888-EXPERIAN (397-3742); www.experian.com;
  P.O. Box 9554, Allen, TX 75013
• TransUnion: 1-800-680-7289; www.transunion.com;
  Fraud Victim Assistance Division, P.O. Box 2000, Chester, PA 19022-2000

Contacts

For Gyft
Lisa MacKenzie, 503-705-3508
Lisam@MacKenzie-marketing.com