Eye4Fraud data breach

In February 2023, data was listed for sale on a hacking forum which, it has been alleged, was stolen, ironically, from a "fraud protection service" Eye4Fraud.

Comprising 16M unique email addresses, included both direct users of the service, and what appears to be individuals who had placed orders on other services that implemented Eye4Fraud to protect their sales. The data included names and bcrypt password hashes for users, and names, phone numbers, physical addresses and partial credit card data (card type and last 4 digits) for orders placed using the service. So far, Eye4Fraud has not commented, nor responded to multiple attempts to report the incident.

This one is slightly trickier to manage than is typical in a data breach, as victim data could be in present at Eye4fraud either because they've signed-up directly or because another merchant, with whom the victim does do business, has signed-up with them and that's how the personal data has been transferred. In the latter case, it's not yet clear whether passwords were present in the breach, and if so, which ones. For now our recommendations are:

Immediate actions

  • If you aware that you have used your School email address and password to sign-up directly to the site, please change your School password as soon as practical. Guidance on how to do that is available.
  • If you have used that password anywhere else, particularly if you have used it for your personal email address or other personal services (e.g. banking, utilities, etc.) then you should reset that password in those places also. Please try and use a unique password in each case.
  • If you are confident that you didn't sign-up directly to the site yourself, please be alert to scams which might leverage data exposed by the breach.

At present, there is little clarity as Eye4Fraud have refused to acknowledge the breach, or respond to breach reports. We'll update this page as more (relevant) information becomes available.