MSA is reader-supported. When you buy through links on our site, we may earn an affiliate commission. Read the full disclosure.

FYI – FabFitFun Security Issue

FYI – FabFitFun recently experienced a security issue. You may be prompted to reset your password when you sign in. More from FabFitFun:

Hi Community,

I wanted to make you all aware that our technical team recently discovered that an unauthorized third party gained access to portions of our website that may have enabled them to capture certain information in connection with recent customer sign-ups.

Based on our forensic investigation, this incident concerns the new member sign up pages of our website during the period between April 26, 2020, and May 14, 2020, and between May 22, 2020, and August 3, 2020. Although we believe that only a subset of members who signed up during this period was affected, we are sending notices today to everyone that purchased a subscription or redeemed a Starter Box during this timeframe as a precaution.

We take the security of personal information very seriously, and sincerely regret any concern or inconvenience this may cause. We took steps to address and contain this incident promptly after it was discovered. As soon as our technical team identified the issue, we removed the malicious code and took steps to secure our website with the help of forensic cybersecurity experts engaged to assist with our investigation. We have also reported the matter to law enforcement and are cooperating with the investigation.

Please note that all affected members will receive an email today, and will also receive an official notice via mail explaining the incident. If you did not receive a notice from us directly, this means that we do not have reason to believe that your information was affected.

While we are continuing to review and enhance our security measures, we are confident that the issue has been resolved and will no longer affect transactions on our website. As a further precaution, and as you are now aware, we have initiated a password reset for all FabFitFun members with enhanced complexity and length requirements.

We are here for you if you have any questions, and remain committed to our goal of creating the most valuable membership for you, especially during a period when we need self-care the most.

Take care and stay safe,

SVP Technology

For your reference, our team has prepared some FAQs:

Q: Can you tell me if I am affected?

A: This incident concerns the new member sign up pages of our website during the period between April 26, 2020 and May 14, 2020, and between May 22, 2020 and August 3, 2020. Notification letters and email communication are being sent to potentially affected individuals. If you did not receive a specific email and letter notification about the incident from us (which is different from the password reset email), this means that we do not have reason to believe that your information was affected.

Q: How are you preventing similar incidents in the future? How do I know shopping on your site is safe?

A: We don’t take this lightly. Your trust is the most important thing to us and our goal is to be proactive and forthcoming with our member communication on these topics. We took steps to address and contain this incident promptly after it was discovered. As soon as our technical team identified the issue, we removed the malicious code and took steps to secure our website with the help of forensic cybersecurity experts engaged to assist with our investigation. We have also reported the matter to law enforcement and are cooperating with the investigation. While we are continuing to review and enhance our security measures, we are confident that the issue has been resolved and will no longer affect transactions on our website.

Additionally, as part of our ongoing security efforts and out of an abundance of caution, we are requiring a password reset for all FabFitFun members with enhanced password length and complexity requirements. Working closely with leading security experts, we will take steps to enhance the security of our site on an ongoing basis and as part of an overall strategy to mitigate the risk of future incidents.

Q: What are you doing to protect the identity of members whose information was potentially compromised?

A: Members who may have been potentially impacted by the incident will be offered complimentary identity protection services from a leading identity monitoring services company. We are deeply appreciative that our members have chosen to be part of the FabFitFun community, and as a token of our appreciation, we will be offering members who were impacted a $25 credit that can be used in with the Winter Add-Ons or Winter Edit sale. Instructions on how to redeem the credit will be included in the individual emails that are sent to those members.

FabFitFun is a quarterly subscription box from Each season they send you a box of $200+ worth items in categories like beauty, fashion, and fitness. It’s our readers’ top pick for the Best Fitness Subscription Boxes of 2020!

Check out our FabFitFun reviews to see what you can expect from this subscription.


How do subscribers rate FabFitFun?

Created with Sketch.

Never miss a post: get email alerts about FabFitFun!

Enable notifications () to get the latest FabFitFun spoilers, reviews, deals, and news delivered to your inbox.

Written by MSA


My Subscription Addiction is the #1 site for all things subscription boxes. Check out the most Popular Subscription Box posts, our coupons, and the List of Subscription Boxes you can try for Free!

Posted in FabFitFun Box News, Subscription Box News| Tags: fabfitfun | 55 comments

Comments (55)

  1. No one is surprised here. people who canceled a year ago still had access to the forum and sales because they were too dumb to lock their sites down. They are hemorrhaging money with all the credit and botched orders.

  2. I hear the class-action lawsuit following lol

  3. I have a new Annual subscription with them. Just waited through 66 people in line for live chat. Looks like a lot of people are talking with FFF.

    I was able to cancel my Annual subscription for a refund.

    I have decided as of today that NO internet purchasing transactions are secure, but FFF is less so than most.

    I read this notice on the top of their home page that says their workers are working from home. I wonder if that played a part?

    This is not worth the hassle of worrying from now on for anything. Because I have many direct deposits, I can’t easily change bank account numbers in the time of COVID-19.

    I’m really concerned about my CC number being ” out there”. I know many others of you and people who don’t post here are as well. They have ( or had) millions of customers.

    Good luck to all of us, and thank you for the links about removing my info from sites. I have no clue how many sites have my ( still new) card info right now. I’m going to indulge in a few CBD gummies, put my Tempurpedic on massage, and listen to some David Lanz music through my Echo while it rains this afternoon.

    Things will get better. I am comforted that my bank account is less than 60 days old. Thanks to a relatively cheap sub for taking money out of my old card when I’d cancelled them 2 years ago or more.
    I probably had 60-80 subs with the old card number on file.

    I also want to say that I am not sure if FFF can survive this. I am sorry for them, but only a tiny bit.

  4. So…they knew back in June that they were hacked. It was posted on their community board. They wouldn’t address the question! Now they are suddenly saying it happened again?! Who monitors these companies? Why are they allowed to run a business like this? If you are looking to join FFF…run, fast and long. Don’t look back! That company is a nightmare.

  5. Yeah, I got screwed over because of this. I bought a close girlfriend a box when she was going through a tough time and signed up on a new email address under her name. A few weeks later I was pleasantly surprised to find a $3k charge on my credit card for some construction project with a construction company based out of california under my friends name. The only time I used that credit card, email address, and my friends name was to make this purchase. Luckily my bank is rad and dropped the charge. I notified fff, got a generic email, and an extra fall box. Total bummer, I don’t feel secure at all with them having my payment information anymore after having to cancel my credit cards.

  6. If you believe their story please check Fabfitfun reddit, they were warned they had a breach and denied it. I’m very disappointed in their statement because a customer or more made them aware of the first breach they did nothing and let a second happen. I pay for a service with them I expect them to at least keep my information secure.

  7. The site has been problematic for a week or two, their social media is full of paying members locked out of their accounts. Then forced password reset just has accounts in an endless loop of resetting password and no access. Mine has been this way for over a week.

    I’ve been advised that technical support is working on this but if it’s not resolved soon I’ll be filing a chargeback. An annual membership you can’t sign into is totally useless for me.

  8. One idea is to change the billing information to a visa/MasterCard/AE gift card, that way they can never charge you more than you want. You can settle any payments with customer service, whom might not keep the debit card info attached to your main account. Your order will just say “past due” until you settle the charge with them. Or until you load the gift card with more money. I like it because if I wake up the next day after a sale and regret what I bought, you can remove things or can el your order entirely. They like to say “all sales are final” but don’t explain that a sale is not final until money is exchanged in full from your method of payment. Until then, it can be changed. They also like to pull stunts where they charge me the wrong amount and other predatory business behaviors. It would be useful as well in case you’re afraid of forgetting to cancel a starter box or account or when a sale ends. Everyone, please red up on the Terms of Use that they hide at the bottom of the homepage and familiarize yourself with FTC rules that apply to only purchases and billed good you didn’t receive or that weren’t sent within the promised timeline or that weren’t refunded etc…etc… because FabFitFun has been having ALOT of issues that fail to meet FTC guidelines. They count on us all being uninformed consumers and not knowing our rights.

    • Yes! All of this!!! 👆👆👆

    • Yup. I only use Gift Cards on my FFF account now n have for awhile. So the money access vulnerability isnt one I havta b overtly concerned abo ut.
      But.. If passwords attached to ur email address were hacked/stolen they could now have access to allot more than just your FFF Account. Highly recommend changing ur passwords on any & all accounts your email address n this same password may b attached to.

  9. I got the email that I am the unlucky few who has had their information stolen. It’s actually really irritating becuase I was already apart of a breach that happened with their shop a few months ago. Within two days I had fraud on my credit card. So I think it’s a very bad sign that they’re making EVERYONE change their password. This is monthsssssss after the first breach so clearly they did nothing to improve security. That’s really upsetting. It’s annoying that I’m having to go through this again and it’s my first experience with a subscription box from when I first subscribed. I’ve been loving the box but idk If I can keep putting up with this. It’s scary.

  10. I subscribe to fabfitfun on and off depending on whether I like the box. Right now my subscription is canceled. I received an email and changed my password. Data breaches can happen anywhere and it is unfair to blame the company for it – its just the world we live in. Also, companies will always keep your info on file incase you decide to make another purchase with them in the future or resubscribe. Also to deter people from constantly subbing and unsubbing just to use coupons. I think thats fair for them to do so. But there should definitely be an option to remove your credit card on file even though its all out there in the cloud.

    • It is completely fair to blame the company. I worked in IT for years as a Sys Admin as well as Network Admin. It was my job to ensure no data breaches occured. If a data breach does happen, it’s because the company hasn’t updated their security measures as often as they should. This is not a case of caveat emptor. A business has a DUTY to keep our information safe. That’s why they employ security professionals, firewalls, etc. You can blame the consumer all you want, but I guarantee based on my professional experience that someone was slacking on the job. This was a clear case of password spraying.

    • It is the company’s fault if data breaches happen. Having worked in IT for years as a Sys Admin as well as Network Admin, I can tell you from experience that it is imperative that companies continually update their security measures or breaches will occur. This is not a case of caveat emptor. A company has a DUTY to keep our information safe. When security professionals get lazy, breaches happen. So, yes, it is the company’s fault.

  11. I received notification that I needed to change my password. However, they didn’t send any information about free credit nor credit monitoring. I’m confirming this right now with an email to customer service. As for the “small number” affected, it won’t be small. Those of us who understand IT security know that they got a huge chunk of accounts.

  12. I havent been signed up in a while, but I’m going topmost this on my page and warn others who didnt get an email. I also cancelled my credit card….

  13. Just FYI, canceling your account isn’t going to help. Companies keep your information forever. It’s in their server somewhere – and even when they decommission the server, they often fail to fully wipe it. I recently received notification from an investment company that I ceased to do business with in 2014 saying that my information might have been compromised.

  14. so… I happened to call them today because of another charge on my cc statement from them for $54.86 on 8/27 and the lady said it was on my old account from my old email I had used and canceled with them years ago , well at first the lady was like since it’s already shipped to their warehouse she could just give me a discount, I said no I already got a fall box i don’t want another one ! I want a refund and this subscription canceled again !! She then said it would be refunded and canceled. And then I get this email to change my password , well that explains it I guess !! Idk 😐

  15. This makes me so mad. They had an issue before so I used a specific new sub email account to renew with FFF and later, a couple months ago it got email subscription bombed and my credit card charged to some place in Germany. I had to completely delete that email account and get a new card. I reported it to FFF that the was the only combination of that email and that card I used since I normally use PayPal or some digital wallet service, so it had to be a data breach with their site and they said nothing happened and there nothing to worry about.

  16. I havent been signed up in a while, but they have not emailed all. I tried to sign into my old account and I found that I’m locked out

  17. I m also getting a lot of emails. I canceled a few times yet each time my information was never deleted fully.

    • You have to request that your account be deleted. Otherwise they hold on to your info forever.

  18. I just spoke with FabFitFun after canceling my membership. My annual ended with the fall box so I was going to cancel anyway. I asked about the account being compromised because I’ve had mine since last fall and I still received the email and the dates above are saying it should only be for new members from this year. The representative said that they sent the email to everyone and those who were affected received a second email about how they were compromised. I also requested for them to delete my credit card information on there system which she said she would submit a request to have it done and I should receive confirmation of it. I guess I’ll keep Margot Elena at least until the price changes in spring of next year and continue to shop Boxycharm add-ons with my premium for good deals.

  19. I think it’s kind of strange that I have to pick whether I want to add the credit to the winter add-on or winter edit sale… how am I supposed to know? I have to go through credit monitoring and change my passwords… can’t I just have a $25 credit on my account?

    • Go with the credit monitoring. It’s not only the higher value (worth more than $25.00) of the two choices, but it will be quite valuable to you (I’ve been through several days breaches and the credit monitoring saved me).

    • My email didn’t say how to claim $25. Just said I was effected. Then the other one explaining it. How do I get that? Ty

  20. All my past accounts with FFF are canceled, some were opened and closed years ago, and yet they sent this email to *all* my email accounts today.

    So it’s not just about breaches *this year*. CYA, I guess. Or just the typical FFF tactic to send you emails all the time just to remind you that they exist. Not impressed with them either way.

    • The email I got on the potentially compromised account I have was different from the email I got on older accounts, though they did email all my accounts.

  21. This is not transparency — they don’t mention what information was leaked. This is poor backend security and a bandaid doesn’t fix for those who are affected. I

    • I can confirm they do mention what information was compromised in the email to compromised users. The answer is: all of it.

  22. Is there a way to have them to remove my account completely? I canceled my subscription after winter but they still retained all my info (and keep spamming me).

    • Unfortunately your information is kept forever.

    • You have to

      • You have to request that your information be deleted. They don’t automatically do it once you cancel. If they refuse, use a free service like AccountKiller to remove it. There are very few companies that hold on the your information indefinitely if you request total deletion.

      • Just did this, thanks for the link!

      • Thank you!

    • Yes, you can remove your account entirely. Have to submit a request through CS; they sent me the link and I filled it out and submitted it. Option of payment info only or entire account. Took two weeks for mine and more than one submission for them to do it.

  23. When you cancel they don’t remove your info (ie it’s really jist dormant). I cancelled my account back in January but received the email and updated my password. Can’t seem to remove my credit card info from my account profile on their website though. Have asked them to remove it for me.

  24. Is there a way to have them to remove my account completely? I canceled my subscription after winter but they still retained all my info (and keep spamming me).

    • You have to request that your account be completely deleted. If that doesn’t work, use a free service like AccountKiller.

      • Thanks for the tip! Going to do this since I’ve been cancelled for almost a year.

      • Thank you!

  25. The identity monitoring service they’re using is only for us citizens. Thanks for nothing fabfit fun!

  26. Interesting. I used the same password for this and my Sling account. (I know, I know. Dumb.) I just had a notice that someone in Canada just logged into my Sling account. There were a few devices that I didn’t recognize logged in.

    That email was beside the FFF email.

  27. instead of changing the information. I m going to cancel completely and resub closer to the time when the winter box comes out.

    • I’m cancelled and they still sent me this email. Guess they’re still keeping our billing info after cancellation which is problematic.

      • thank you for letting me know

        I m hoping there is a way for them to delete the account completely. Not to say it would matter now

      • I wouldn’t mind if they deleted all my personal information too since I canceled over a year ago and still received this email. I’m guessing they keep your info on file to prevent you from signing up every season to get the new member bonuses. Although it is just email addresses they care about as they don’t seem to care about duplicate mailing addresses.

    • Email them ask for the data subject removal form, tell them you want confirmation when it’s removed.

  28. I’ve been subscribed since 2019 and still received a prompt to change my password. FYI.

    • I received that email too, but not the one about my account being compromised. I think they are having everyone resets passwords

  29. Only affected members will get an email? I thought it said, new members page… I been a member for years and years but, I got an email to change my password.

    • Everyone gets the change a password email. The you may have been compromised email is different.

  30. Sigh.
    Went on their site today, and had to change my password.

Please do not enter your email address in the Name field or in the comment content!

Your email address will not be published. Required fields are marked *

Remember to post with kindness and respect. Comments with offensive language, cruelness to others, etc will not be approved. See our full comment policy here.


Get our newsletter

Be the first to know about MSA exclusive deals, news, and reviews