Overview
- An STRG_F investigation found attackers simulate iPhone app logins to avoid the website’s CAPTCHA, enabling high-volume automated credential stuffing.
- The login details used come from large external leak compilations rather than any breach of Payback’s own systems.
- Once inside an account, tools read point balances and personal data, which are then sold as access while buyers cash out points or make purchases.
- Payback issued a generic assurance about its security and advised enabling two-factor authentication, though it remains optional and no detailed fixes were provided in reports.
- Consumer tech outlets urged users to activate 2FA immediately, noting REWE now requires it after previous large-scale plundering of loyalty accounts.