If you have a credit card stored on Wine Library's website, there is a very good chance that it has been stolen and charged with fraudulent charges. There are two threads about it here and here. The charges are coming from iTunes, Tune-Up Media, Blizzard Entertainment, piknic.com, and Webroot.

Check your CC statements if you have cards linked to WL's website.

Here's the letter from WL:

Wine Library Security Notice

We wanted to get this to the forum ASAP. Once we have full details on what exactly happened, we will be letting everyone who might be affected know. We are very upset to report that our website was recently hacked and some customers' credit card information and web site user account information may have been compromised as a result. We know this is upsetting to you as well as to us. We are doing everything we can - as quickly as we can - to fix this issue and make sure something like this does not happen again. The following is what we know, what we're doing about it, and what you can expect next:

What we know: When we began hearing from a few customers about possible fraudulent credit card charges in the middle of October, we quickly launched an investigation. At that time, we did not know a data breach had occurred. However, as the number of these concerns increased in early November, we removed all credit card data from our site on November 11th since it became clearer that, although we couldn't find a breach, something was going on. Finally, two days ago (November 16th) we confirmed that an IP address from China was used to hack our website and potentially compromised customer credit card information. As far as we can tell, this did not affect any in store transactions.

What we're doing about it: We are taking this breach very seriously. This is the first time in 15 years of being on the web and, in the 28-year history of our company, that we've ever encountered an issue as serious as this. Here's what we're doing to make sure it never happens again:

We already removed all credit card numbers from our website.
We are accelerating the launch of our new website, which has new and best in class backend security protocols to safeguard against these situations. On our new website:

* Credit card information will never be stored
* All credit card data will be tokenized through a third party, meaning that even if someone takes the data they can't do anything with it
* Will continue to use SSL (Secure Socket Layer) protocol to encrypt data
* Will be run on an upgraded system using modern software
* We have an independent forensic investigator already looking into the situation to tell us the facts of the breach, to validate our new website protocols, and to tell us what we can do better moving forward.
* We are notifying all relevant authorities, per state law.

What you can expect next: While we believe that the data breach is over (we have not seen any additional breaches), all of our customers (and anyone who does business on the Internet) should still be vigilant. This means you should continue to monitor your credit card for any fraudulent charges and notify your bank/credit card company immediately of anything suspicious. Per Federal law, you can also get a free credit report once a year via https://www.annualcreditreport.com/cra/index.jsp.

For future purchases, existing customers can utilize our new website by logging onto winelibrary.com and clicking the beta link at the top of the page, even though some of the inventory, search capabilities, etc. are still being finalized. We will soon switch to this new site permanently. If you are having trouble using our new website, our current website is no longer storing credit card data at all. If you are not comfortable making purchases via the website, you can always call 888-980-9463. Lastly, if your data was breached you will receive formal notification in the coming weeks regarding any additional measures you can take.

We cannot stress enough how sorry we are that this happened. We are working as hard as we can, as quickly as we can, and with whatever internal and external resources necessary to ensure this doesn't happen again and that you all can shop WineLibrary.com without concern.

In the meantime, we are committed to keeping you up to date. We value your business tremendously and appreciate your support and confidence.

Wine Library

I wonder if this related to all those blizzard charges a bunch of us had here over the summer. I see many people mention blizzard in that second thread you linked.

Well...that explains all the blizzard charges on my cc last month. Still waiting on a resolution.

Mine just got taken last week, but luckily visa stopped them and no money ever got taken from my account.

justinrsanderson wrote:Well...that explains all the blizzard charges on my cc last month. Still waiting on a resolution.

What do you mean still waiting? Both Visa and AmEx solved the problem for me instantly. No questions. No paperwork. Just, "Sorry it happened. We'll take care of it." Between the two cards I had about $600 charged.

jdhart306 wrote:Mine just got taken last week, but luckily visa stopped them and no money ever got taken from my account.

Taken from your account meaning you use a debit card online? I suggest not doing that. You are protected like a CC most of the time, but with a CC, money never leaves your hands like it could with a debit card.

That explains it. I was notified earlier this week by Visa of unauthorized Blizzard Entertainment charges. Visa took care of them, but I still had to go through the hassle of canceling the card and having a new one re-issued.

I'm shocked that these folks have yet to send out an e-mail to their customers.I guess they dropped the ball when it comes to having a fully established incident response policy!

I've had 3 cards that I've had to close and replace in the past 6 months, at least 2 of those had blizzard charges. The nice thing is that for 2 out of the 3, I got called by fraud detection immediately and had them resolve them with minimal effort.

I highly recommend Chase credit cards ( Both visa and MC)

PTommins wrote:I'm shocked that these folks have yet to send out an e-mail to their customers.I guess they dropped the ball when it comes to having a fully established incident response policy!

Gotta be honest -- I am too. They posted the letter that I quoted and they have been sending PMs to some people who posted in the original thread that brought the issue to light, but the fact that a blanket email hasn't been sent out to every person on the email list is rather shocking to me. IMO, they need to tell everyone to check their CC statements, etc. etc. etc.

I'm curious how they're going to continue to handle the situation from here because I don't think they've done a great job so far. I understand that this kind of thing can happen when using a CC online, but the lack of immediate blanket response is very odd indeed.

kylemittskus wrote:Taken from your account meaning you use a debit card online? I suggest not doing that. You are protected like a CC most of the time, but with a CC, money never leaves your hands like it could with a debit card.

That makes sense. I'm thinking of opening a new credit card just for my online purchases so it will be easier to track everything.

Their company statement said they were first notified by customers of suspicious charges last month, but became aware of the breach on NOV 11? I wrote an e-mail to WineLibrary on Friday stating how disappointed I was in them not notifying their customers immediately of their security breach.

I received a phone call this afternoon (yes on Sunday) from Bradley Warnke who said he was a vice president with WineLibrary. He apologized profusely and told me everything they were doing to make their site safer (so they don't lose me as a customer). He said they didn't notify customers sooner because they were "digging" into the situation and were not sure which customers may have been affected.

A fatal flaw if you ask me. I told him he should converse with their bank or IT consultant if they were interested in how an incident response should be handled. As with most companies that were breached, WineLibrary will probably come out of it with stronger security than before. Wonder how many customers they'll lose?

Okay, curious about the webroot charges, that's funny. Were they just needling webroot as a security company?

tenuki wrote:Okay, curious about the webroot charges, that's funny. Were they just needling webroot as a security company?

You Nor Cal folk speak a whole different language.

They meaning WL or the Chinese hackers?

PTommins wrote:
I'm shocked that these folks have yet to send out an e-mail to their customers.I guess they dropped the ball when it comes to having a fully established incident response policy!

I'm more than disappointed. Although the unauthorized Blizzard charges have been removed from my account and my credit card promptly replaced, I should have learned about the breach from Wine Library, not a sideline forum discussion at another website.

D'oh, this explains a lot...

kylemittskus wrote:You Nor Cal folk speak a whole different language.

They meaning WL or the Chinese hackers?

Hackers. Like, if you're a hacker, why would you steal credit card numbers and buy web protection ...

While I appear to have escaped, my brother was complaining about Blizzard charges to his card last night.

I honestly can't believe that no email was sent about this from WL

tenuki wrote:Hackers. Like, if you're a hacker, why would you steal credit card numbers and buy web protection ...

I assumed it was some kind of backdoor thing. Like the blizzard charges. I don't think it's actually blizzard charging the money. At least, I hope not. Stick absolutely floored that there is no email from WL.

BeefyTaco: I'd cancel your cards that you used on WL anyway. People are reporting charged as recently as today.

Got an email from WL a little after 8pm Eastern tonight.

Ditto.

Blanket email sent out finally.

Me too. But no abnormal charges yet.

Got my email yesterday morning. Had to cancel a card back in September due to Blizzard charges. I'm not a lawyer, but I thought they had to inform you as soon as they were aware of a problem, not several weeks or months later. It's going to cost Sony somewhere in the range of $8B because of the breach they had.

Z

dsapp wrote:Me too. But no abnormal charges yet.

Abnormal charge appeared today. Cancelled card. Drat.

Yup, me too. Mysterious Tune Up charge appeared today. Thanks for this thread, confirmed what I was suspecting.

I never received the email. I received a notice from my cc company on December 4 about suspicious activity. Today, 1/4/12, I received a mailed letter from Wine Library. Charges were from Macy's and WalMart.

This is why I use a Citibank card online. They have a nifty feature that lets you generate a virtual credit card number linked to your account. If necessary, you can cancel a virtual number without having to get a new physical credit card.

While Discover and Bank of America cards also have the virtual number feature, Citibank lets you set a dollar limit and an expiration date, and also declines charges from any merchant other than the first one to charge to it. I'm not sure if Discover and BofA have this feature.

All my WL and Cindy purchases were done on a Citibank virtual card number. My real card number was never in the database. When I learned of the breach, I simply canceled that number and generated a new one the next time I shopped on WL. But even if I hadn't, the hackers couldn't have used it anywhere but WL and Cindy. And since I only bump up the credit limit of the virtual card just before I buy, they couldn't do much damage there even if they had tried to buy wine - the charge would be declined for exceeding the remaining limit on the card.

mstein609 wrote:This is why I use a Citibank card online. They have a nifty feature that lets you generate a virtual credit card number linked to your account. If necessary, you can cancel a virtual number without having to get a new physical credit card.

While Discover and Bank of America cards also have the virtual number feature, Citibank lets you set a dollar limit and an expiration date, and also declines charges from any merchant other than the first one to charge to it. I'm not sure if Discover and BofA have this feature.

All my WL and Cindy purchases were done on a Citibank virtual card number. My real card number was never in the database. When I learned of the breach, I simply canceled that number and generated a new one the next time I shopped on WL. But even if I hadn't, the hackers couldn't have used it anywhere but WL and Cindy. And since I only bump up the credit limit of the virtual card just before I buy, they couldn't do much damage there even if they had tried to buy wine - the charge would be declined for exceeding the remaining limit on the card.

neat. how much do you have to pay for that feature? Good to hear, as ffriends have had terrible ID fraud refund and handling issues with Citibank in the past

richardhod wrote:neat. how much do you have to pay for that feature? Good to hear, as ffriends have had terrible ID fraud refund and handling issues with Citibank in the past

Yes, I'll second this. I cancelled all my Citibank cards after having to jump through hoops to recover fraudulant charges on my card. Amex makes dealing with fraud a breeze.

I've never heard of this create a temporary credit card # though which is a very cool feature.

redwinefan wrote:Yes, I'll second this. I cancelled all my Citibank cards after having to jump through hoops to recover fraudulant charges on my card. Amex makes dealing with fraud a breeze.

I've never heard of this create a temporary credit card # though which is a very cool feature.

It's free. Never had a problem with Citibank, they are always right on top of things and have even called me before I knew there was a problem.

I need to call my credit card company.

But first I'll express my surprise that Wine Library simply suggests requesting a free annual credit report from the government-mandated program.

In other instances of data breach I've heard details of I think I recall the vendor offering to PAY for credit reports and for special monitoring for a year.

I'm disappointed in how cavalierly WL seems to have taken this matter overall. Big loss in credibility. Though I'm no expert on computer security, it seems to me they should have had stonger protections in place already and also acted more decisively when they first learned of the problems. I can't help but think how many, many thousands of hours Gary V must have put into creating good p.r. for WL--somewhat wasted now.

My limited experience with WL has been positive. But if any company assures us that our information was safe in the past and it turns out not to have been so, it might be a struggle to rely on their new assurances that things are just fine now.

Cesare wrote:It's free. Never had a problem with Citibank, they are always right on top of things and have even called me before I knew there was a problem.

Thanks, maybe I'll give them another shot. I did notice they're running a good bonus promo for the American Airlines card right now.

smartheart wrote:snip

I am with you 100%. I am overall pretty casual about the issue as whole. Something happened. They now fixed it. Can't change the past. However, I am very surprised that they aren't paying for credit monitoring, especially after one of the IT staff from WL let it slip that they weren't under PCI compliance, whatever that means. Sounds like they made a BIG mistake and have done nothing to rectify it. And frankly, I'm surprised that WL being what they tout that they are -- so customer service-oriented -- that they didn't do more. On top of that, I thought that there were laws that dictated the kind of action that you and I are saying should have happened with credit monitoring, etc.

I am still purchasing from WL and I probably won't stop. However, I think that they have been pretty casual about the issue, too much so, IMO.