Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.

Mountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.

Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.

Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.

The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.

Gyft was acquired in July 2014 by payment giant First Data, a company that has traditionally specialized in processing credit cards and managing ATMs.

The attack on Gyft is likely to be of particular interest to enthusiasts of the virtual currency Bitcoin. Founded in 2012, Gyft has long been a favorite of bitcoin account holders because it’s consistently been one of the easiest ways to exchange bitcoins for digital gift cards that can be used at everyday businesses.

Cyber crooks very often recycle stolen credentials by trying the username/email address and password pairs at dozens of other retailers online, knowing that a good percentage of consumers will reuse the same credentials at multiple sites. If you re-used your Gyft username and password at other sites (tsk-tsk!) it’s time to change those passwords.

Companies can beef up customer account security by requiring users to sign up for two-step or multi-factor authentication, a process wherein the customer must provide a special one-time code sent to a mobile device in addition to a username and password. Enabling two-step authentication helps blunt the threat from stolen customer credentials because the thieves also would need to have access to the user’s mobile device in order to hijack the account.

A cursory examination of Gyft’s user platform suggests the company does not yet offer two-step authentication for its online site, nor does it require users to supply a mobile number. However, at a Bitcoin conference in Africa this year, Gyft founder Vinny Lingham reportedly told the audience the company was considering adding the security feature.

Source: Krebs