Has Ibotta been hacked? The cash-back rebate app says no. But hundreds of users say yes, and they have the empty account balances to prove it.
So which is it, then? The answer is kind of complex.
“I’ve been hacked!”
Some Ibotta users began sounding the alarm a couple of weeks ago, when they received cheerful emails from Ibotta confirming their request to cash out their accounts. The only problem was, they never requested such a transfer. Other users began reporting that they were locked out of their accounts altogether, and still others who were able to log in, found that the cash-back balances they had accumulated were gone – cleaned out by unknown persons who had somehow accessed their accounts and helped themselves to what they found.
“It was real quick and done in the middle of the night. They cashed out for Amazon and iTunes gift cards,” one user complained on Ibotta’s Facebook page.
That led to accusatory speculation that Ibotta itself had been hacked. Someone clearly accessed users’ information, after all, and stole the cash they had earned over the course of months or even years. One user claimed to have lost more than $3,000, though most affected accounts contained far less, considering users are able to cash out as soon as their balance reaches $10.
But Ibotta denies it was hacked at all.
“We’ve done a thorough analysis of Ibotta systems and procedures and determined that it was not our system that was the cause of any of the issues. We’re 100% confident in that conclusion,” Ibotta Vice President of Marketing Richard Donahue told Coupons in the News. “It was not Ibotta that was hacked, but individual users that did not take proper security measures. This may happen if they use the same login information, including email and password, across several accounts.”
That echoes what Ibotta had been telling affected users from the start – that their “login information was compromised through another source, not Ibotta. We cannot control and do not bear any responsibility for outside intrusions which result because of this.”
But that initial tone didn’t sit well with some users. “I got little help from Ibotta,” user Veronica told Coupons in the News. After reporting to Ibotta that her $23 account balance had been depleted, she said she received an email saying “my account was secure and they had no way to prove the transfer wasn’t done intentionally by me – basically, indirectly accusing me of making up the whole story to be able to cash out twice.” Another user, who shared with Coupons in the News her correspondence from Ibotta, was informed that Ibotta was “unable to verify that this was not a legitimate transaction,” and was told to report the fraudulent activity to PayPal, because “the money was stolen from you, not Ibotta.”
Who’s really at fault?
So was this user error, or a larger issue with Ibotta itself?
To many users, it does seem awfully suspicious that so many Ibotta accounts just happened to be compromised all at the same time. And if someone gained access to individuals’ emails and passwords from another site, what hacker would even think to use that information to log on to Ibotta, on the off chance that individuals also used the same emails and passwords there? Ultimately, it seems implausible that, compared to much more lucrative bank and credit card accounts, hackers would target a relative handful of small-potatoes balances in Ibotta accounts, where users earn money just a buck or two at a time.
But one security expert says that’s entirely plausible.
“All of this stuff starts small,” Adam Levin, chairman and founder of fraud detection company IDT911, told Coupons in the News. “These are the same people who charge credit cards small amounts like $9.84, and they’re happy to get it – from tens of thousands, or hundreds of thousands, of people.”
But why Ibotta? In recent years, “there have been so many breaches, so much data has been stolen, it is not surprising that they’re trying all sorts of environments,” Levin said of the fraudsters. “It just shows you the magnitude of what’s out there.”
Ibotta’s Donahue agreed. “Ibotta has paid its users tens of millions of dollars over the past few years, which means we are sometimes a target of these events,” he said. “What happened in these few instances actually happens fairly frequently when usernames and passwords enter the public domain, and other institutions were almost certainly targeted as well, though we cannot say for sure.”
It’s happened before (and will happen again)
Ibotta is not, in fact, the only platform that’s been targeted. In a remarkably similar situation just a couple of months ago, a number of Groupon users took to social media to complain that their accounts were compromised, and unauthorized purchases were charged to them. Groupon denied it was hacked and, much like Ibotta has said, warned that individuals may have had their credentials compromised on another site.
“There are many people who use the same user ID and password across multiple accounts,” Levin said. “Too often with consumers, convenience trumps security.” Bad actors can go phishing for email, eBay, social media or any number of other account passwords, tricking people into responding to a fraudulent email or submitting their passwords on a fake website. Or they can dedicate computers to do nothing but try multiple possible passwords for millions of accounts until they hit upon combinations that work. And sometimes, they can simply take a lucky guess. It’s a pretty sure bet that someone is going to have “123456”, or “password”, as their actual password for more than one online account.
And once the bad guys have your password for one online account, of any kind, they wager there’s a good chance you might use that same user ID and password on another account – like Ibotta.
So Ibotta may not have been a target in and of itself, so much as it was just another thing for the bad guys to try. If they guessed enough wrong passwords, they got locked out and Ibotta prevented them from guessing any more – so they moved on, leaving the affected Ibotta users locked out of their own accounts. And if the bad guys got lucky, even just a few hundred times, that’s a few hundred accounts they were able to drain – enough, potentially, to have made it worth their while.
If your Ibotta account was emptied, the people who figured out your password may not even be the ones who have your money. Account information is often bought and sold on the black market, so whoever ultimately used your information to access your account, may well be several degrees of separation away from the original hackers. “I bought two Ibotta accounts from reddit,” the owner of an email address identified as accessing an Ibotta user’s account told Coupons in the News. “The seller claimed that they were his. Never thought of the fact that the seller lied to me.”
That individual ended up refunding the money to the affected Ibotta users, taking the loss himself, since he said the person from whom he purchased the account information had disappeared.
The next steps
To its credit, Ibotta is stepping up and reimbursing users whose accounts have been compromised and emptied. “We are sympathetic to our users’ plight,” Donahue said. “As a gesture of good faith, we decided to replenish the funds for the small number of users who were impacted.” Other accounts that Ibotta believes may have been targeted, have been temporarily locked as a precautionary measure. If this has happened to you, you’re urged to email support@ibotta.com – though be warned, there’s a backlog, so you may not hear back right away. In all, Donahue estimates that “no more than a few hundred users (out of millions) were potentially affected.”
In the end, there’s no real way to “prove” who’s at fault. “Could this have been a breach?” Levin asked. “Anything is possible. We’ll never know unless Ibotta admits it.” The fact that more than just one or two accounts were compromised, all at the same time, is certainly more than just a coincidence. But the fact that millions of Ibotta accounts were not compromised at all, is compelling evidence for Ibotta’s position that it was not the victim of a security breach.
“Ibotta user passwords are encrypted and not accessible to anyone,” Donahue reassured account holders. Some users are not entirely reassured, though, saying that Ibotta could still do more to secure their accounts from future hacks. “I just don’t feel comfortable that they’ve taken steps to prevent this happening again, whether they had a security breach or not,” user Veronica said. “I get an email every time I change something in my bank accounts, in PayPal, in Facebook, in Amazon – this is pretty standard. Yet someone can cash out my Ibotta account to a brand new email and IP address with no additional confirmation step? Sloppy security.”
Donahue said steps are now being taken to address those concerns. “Since this occurred, our developers have been working diligently to implement additional security measures that we are confident will prevent Ibotta users from facing this problem in the future, even if their email and password information fall into the public domain.”
Levin said it’s all about staying one step ahead of the hackers. For Ibotta users, that means changing your password to something unique – not the same password you use to log in to other sites. As for Ibotta itself, and its efforts to strengthen its security, “each company has to determine where their flaws are,” Levin said. “As a defender, you have to get everything right. As an intruder, you only have to get one thing right.”
And in at least a few hundred cases, they did. If Ibotta can help it, though – they won’t do it again.
Update: Ibotta made things right, in a little more than five days. Was able to reset my account without deleting it completely. Still no explanation to what really happened, but funds were returned to my account. Hopefully, the criminal that had temporary access was forced to return the funds – wishful thinking.
August 2017, same thing happened to me – Ibotta transferred all of my funds to a PayPal account not listed on my Ibotta account. I let them know within literally two hours that I had not authorized any transfer. Their support team was slow to respond. Several days later they requested that I register my mobile device and phone number. When I obeyed their request, they deactivated my account and said I had broken one of their rules, BUT THEY WOULD NOT SAY WHICH ONE. Sounds like an inside job. I’d like to know how many more of you are out there with the same odd story.