A Michigan man is due in court later today for a hearing on charges that he stole and sold access to more than a million dollars worth of grocery shoppers’ loyalty rewards.
22-year-old Nicholas Mui of Grand Haven, Michigan is accused of hacking his way into thousands of mPerks accounts held by shoppers at the Meijer grocery chain.
And those points are valuable. mPerks members earn the points by making purchases at the store, and can redeem them for free or discounted groceries. But last year, many shoppers in the states where Meijer operates – Michigan, Ohio, Indiana, Kentucky, Illinois and Wisconsin – complained that their accumulated points had suddenly vanished from their accounts.
According to Michigan Attorney General Dana Nessel, Mui got a hold of usernames and passwords from a separate data breach and tried them out on the mPerks login page, using software that rapidly tried them all and flagged the ones that were a match.
This is precisely why internet security experts recommend you don’t use the same login credentials for multiple sites. By accessing one set of compromised usernames and passwords from other sites, Mui was allegedly able to use those very same credentials to successfully log into thousands of mPerks accounts.
And then, Nessel said, Mui sold those credentials on the dark web. The buyers were then able to log into the compromised mPerks accounts and redeem all of the rightful owners’ points to get discounts on their own purchases at Meijer.
Meijer first became aware of the problem last April, when complaints from customers started coming in. When the retailer determined that the shoppers’ missing points were more than just isolated issues, it contacted state police.
The subsequent investigation “discovered encrypted chats and foreign online markets where mPerks login credentials were being offered for sale, advertised with the corresponding points contained within each account,” Nessel said in announcing the charges at a news conference late last week. Prices for the account information were quoted in cryptocurrency. “One seller account stood out to our investigators,” she went on.
That account, Nessel said, was traced to Mui. Searches of his residence, vehicles and electronic devices turned up evidence including $20,000 in cash and $460,000 in cryptocurrency. The value of the stolen mPerks points added up to more than a million dollars. Meijer has restored the stolen points to affected customers’ accounts, which means the retailer is taking the hit – though shoppers may ultimately pay in the long run, in the form of fewer loyalty rewards or higher prices.
Mui has now been charged with nine felonies, including identity theft, conducting a criminal enterprise and use of a computer to commit a crime, for which the maximum penalty if convicted is 20 years in prison.
As for the shoppers whose accounts were compromised – or those who might find themselves in a similar situation in the future – not only does Nessel recommend changing your passwords and not using the same credentials for multiple sites, but she says it’s important to speak up if you notice something isn’t right. “A lot of times people are embarrassed. They think they did something wrong, and so they don’t want to report it,” she said. Others might think, “something seems fishy, I don’t know what happened, but it’s not worth it for me to say anything.” But it was the affected customers who alerted Meijer to the problem and ultimately got law enforcement involved. If they hadn’t, they’d be out a whole lot of points while someone on the dark web continued making hundreds of thousands of dollars selling them.
So not taking precautions can be costly. But in this case, it could be Mui who ends up paying the price.
Image source: Meijer