Dear Gyft Users:We recently notified some Gyft users of an incident in which an unknown party may have gained unauthorized access to certain Gyft user information. If you were affected, you should receive a notice at either (a) the physical shipping address that you have entered during a Gyft purchase; or (b) the email address(s) on your Gyft account(s).If you have additional questions about this incident, please go to myidcare.com/gyft.We are taking this incident very seriously. As soon as Gyft learned about the exposure, we began investigating how this user information was accessed and what risks this potentially posed to Gyft customers. Fortunately, we have not discovered evidence that anyone used the information potentially compromised in this incident to access Gyft accounts or make unauthorized purchases.Below you can read the information provided to affected users about this incident. Notice of Data BreachWhat Happened?Beginning on October 3 and continuing through December 18, 2015, an unknown party accessed without authorization two cloud providers used by Gyft. This unknown party was able to view or download certain Gyft user information stored with these cloud providers and make a file containing some of that user information.What Information Was Involved?The information potentially accessed from the cloud providers included some users’ names, addresses, dates of birth, phone numbers, email addresses, and gift card numbers. Gift card numbers could have been used to make unauthorized purchases. In addition, if you attempted to use Gyft between March 19 and December 4, 2015, your Gyft log-in credentials may have been compromised. An unauthorized party who acquired your credentials could have accessed your Gyft account and used any gift cards in your account with unused balances, or used available reward points or a Coinbase-enabled account to purchase additional gift cards. Importantly, no credit cards stored in Gyft accounts were compromised because full credit card numbers are not visible in Gyft accounts and any credit card purchases require the three- or four -digit security code on the back or front of the card, which was not part of the information that may have been compromised.What Are We Doing?Shortly after discovering this issue, Gyft acted to prevent unauthorized access by forcing users whose passwords were potentially compromised to reset their passwords and logging out other affected users. Affected users who have not already done so will be forced to choose a new password the next time they log in. We also reset the Coinbase tokens for all affected customers. We are continuing to investigate the incident and will take all appropriate steps to protect Gyft customers.What You Can DoWe recommend that you change your password for any online account where you use the same password that you used for Gyft between March 19 and December 4, 2015. As discussed above, credit cards stored through Gyft were not affected by this incident. However, if you have a Coinbase account linked to your Gyft account, we recommend that you review any Coinbase transactions beginning in October 2015, because a linked Coinbase account could have been used to make purchases within your Gyft account. You should also monitor any gift cards that were in your Gyft account before January 8, 2016.Although the information potentially involved in this incident does not affect your credit, we are required by law to provide you certain information about your credit report and identity theft. This information appears below.You may also contact us in writing at 150 W. Evelyn Avenue, Suite 300, Mountain View, CA 94041, or you can call us at 866-298-0504.On behalf of Gyft, we regret any inconvenience this may cause you.Sincerely,CJ MacDonaldChief Operating Officer, Gyft
