“KandyPens” Has Leaked Full Customer Credit Card Details

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer
Source: KandyPens

If you have bought a vaping pen or an accessory from the online store of the “KandyPens,” you may have had your full credit card details stolen by Magecart malicious actors. The vaporizer products manufacturer and retailer has just informed the California State General Attorney Office of a data breach that could potentially have dire consequences for an undisclosed number of individuals. The company realized that someone had planted a card skimmer on its checkout page in January 2020, and immediately hired a forensic investigator to find out what was going on.

KandyPens reports that purchases made between March 7, 2019, and February 13, 2020, may have resulted in the loss of credit and debit card data. More specifically, the information that may have been stolen by the malicious actors includes the clients’ name, their credit or debit card number, the expiration date, and the security code/verification number (CVV). There’s literally nothing else that one would need to make online purchases by using another person’s card, so this exposure is considered entirely disastrous.

For this reason, the exposed individuals are advised to closely monitor their bank account activity, review their statements, review their purchase history, and report anything that they don’t recognize to their card issuer. The sooner a suspicious activity is reported, the better the chances of having it reversed. Unfortunately, KandyPens isn’t offering a free-of-charge identity protection service for its clients, although their negligence will cause great troubles to them now. We understand that the cost of these services is high, but this is the only way to retain whatever trust is left between a company and its compromised clients.

The vaporizer seller is instead urging its customers to call them at “1-833-968-1687” to address whatever questions they may have in regards to the incident. As for what you can do to avoid this type of event in the future, you should favor electronic payment methods or cash with “pay on delivery” if this is an option. If there’s no other way to pay than using your credit or debit card, ask your bank to activate OTP (one-time passwords) for this kind of payment, so you can confirm them by using your phone every time. Thankfully, phone numbers haven’t been exposed this time, so you can at least stay clear from SIM-swappers.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: