Dear Jefit user,
We are releasing a public announcement about a cyber-incident that may have exposed some of your Jefit account information (No financial data involved). If your Jefit account was registered before September 20th, 2020, your account might be impacted by this incident. We are also sending direct emails to users whose account might be impacted by this incident. We take the protection and proper use of your information very seriously, and inform you now to explain what happened and the steps that you can take to protect your email address and Jefit account.
Recently, we became aware of this data incident from a few user reports and immediately investigated. Soon after we discovered the data breach due to a security bug and took a series of actions to make sure our system is safe and to further protect your account.
Upon discovering this breach, we took immediate action to secure our servers and the impacted accounts. We also began an investigation to understand the scope of the incident. We were able to identify the root cause of the data incident and confirmed that other Jefit systems were unaffected, and contacted law enforcement.
At this time, there is no sensitive financial data involved since we never stored customer’s payment information. All the payment process was directly handled by Google Play Store, Apple App Store, or directly processed by the payment gateway company when customers purchase products on our website. Nevertheless, we are providing this notice out of an abundance of caution because some other part of your account-related data was potentially accessed by the perpetrator of the cyber-incident.
What type of information was involved?
The account realated data that the perpetrator gained access to some or possibly all of the following:
- Jefit account username.
- Email address (associated with the account).
- Encrypted password (hashed with unique salt to each account).
- IP address when creating the account.
Please note that not every account has an IP address associated with it. We only keep IP addresses for anti-bot and abusive account registration purposes.
What we are doing to prevent any future breach of data?
Upon discovery of the cyber attack, we immediately secured the servers and patched the bug. We also conducted a forensic investigation to confirm that no other systems were impacted. We have taken security measures to strengthen our network against similar incidents in the future. We are also adopting a much stronger password policy on our product to further protect user’s accounts in the future.
What can you do?
We want to make sure you are aware of steps you may take to guard against potential phishing email attacks or other forms of fraud. Although all the passwords have been encrypted before saving to our system, we encourage existing users to change their Jefit passwords to more secure format / combination. We take the privacy and security of your information seriously, and sincerely regret any concerns or inconvenience that the incident may have caused you. If you have any additional questions or concerns please contact us via firstname.lastname@example.org.
Ying Lin, CEO
March 19th, 2021