SureFire Website Was Compromised

A notice has been sent out to some consumers that SureFire website data was compromised as a result of a breach on the third party server that hosts the Surefire website.

You can read the full notice that our reader Paul sent over to us. If you have placed an order with Surefire between May 2018 and July 22nd, check your spam folder to see if you received the same notice.

To Our Valued Customers:

We’re writing to inform you that on or about May 28th, 2018 unauthorized access was gained to a web server running SureFire’s website being hosted and managed by a third party web services provider. Suspicious traffic and activity was noted and a security audit and investigation were launched at SureFire’s direction by our web hosting vendor.

On July 22nd, the web hosting service provided SureFire with a report detailing the results of the investigation. The investigation and audit revealed that the software running the website had a particular vulnerability in the PHP and Zend frameworks. The software vendor provided a patch to close these vulnerabilities on June 22nd, by which time the unauthorized access had already occurred.

The patch closed the attack vector but up to 2,511 transactions nationwide may have been accessed. These transactions would have taken place between May 2018 when the initial access was gained to July 22nd when the investigation concluded. By that date, the patch had been applied, the means of unauthorized access was closed, and remediation steps were taken to prevent recurrence.

Orders outside this timeframe were not affected. Orders not placed on the website at were also not affected (e.g. phone-in orders, walk-in orders, etc. were not affected). The breach only occurred on during the time frame indicated, all other customer data past and present is secure and unaffected.

Given that the breach was due to a vulnerability in the underlying software, security patches have been deployed. Additionally, increased security monitoring and measuring have been put into place to prevent a recurrence.

Our records show that you placed an order through within the time frame the security breach occurred. The information accessed was information provided to fulfill orders on the website, which includes consumer names, shipping and billing address, and payment card information.

As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You may also wish to cancel the credit card used for the purchase you made at that time.

You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission. To file a complaint with the FTC, go to or call 1-877-ID-THEFT (877-438-4338).
Complaints filed with the FTC will be added to the FTC's Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.

Additionally, you may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can print a copy of the request form at Or you can elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies listed below:

(800) 685-1111
P.O. Box 740241
Atlanta, GA 30374
(800) 916-8800
P.O. Box 6790
Fullerton, CA 92834


Should you have any questions please email us at or call 714-545-9094 and leave your name, telephone number, email address, and the best time to reach you (Monday through Friday between the hours of 8AM to 5PM Pacific Standard Time) and a representative will contact you as soon as possible.

We apologize for any inconvenience this may have caused you and would like to assure you that we have and will continue to take appropriate measures to protect our customer’s information.



About Patrick Roberts 217 Articles
Since founding Firearm Rack in 2014 which evolved into Primer Peak in 2020, Patrick has been published by RECOIL, Ammoland, Gun Digest, The Firearm Blog, The Truth About Guns, Breach Bang Clear, Brownells, The Shooter's Log, and All Outdoor. When he isn't writing you can find him instructing handgun and AR-15 courses, training his dog Bear, or spending time with his son Liam. See what he is up to on his YouTube Channel, on Facebook, or on Instagram at @thepatrickroberts.

Be the first to comment

Leave a Reply

Your email address will not be published.