A West Michigan man has been charged with stealing and selling account information for Meijer "mPerks" accounts, Michigan Attorney General Dana Nessel announced on Thursday.
Nicholas Mui, 22, of Grand Haven, was charged with one count of conducting a criminal enterprise, one count of use of a computer to commit a crime, and seven counts of identity theft.
According to the AG's office, Mui obtained login credentials from a separate data breach, cross-referenced those for access success within the mPerks infrastructure, and then sold the information on the internet.
The purchasers of the login credentials used the points balances to fund their own purchases from Meijer.
The AG's office said it's not believed that Meijer's infrastructure was directly breached, but that it was a case of "credential stuffing," where account credentials obtained in large-scale data breaches are batched and sold.
“Consumers should heed this warning and exercise smart password discipline,” Nessel said in a statement. “If you are notified of a data breach, you should be changing your login credentials not just with that breach point platform, but also for any other accounts for which you use the same login credentials. Additionally, consumers should be changing their passwords at regular intervals, and not employing the same usernames and passwords across multiple platforms.”
Meijer became aware of the theft by consumer complaints in April and May 2023, when customers complained of vanishing points on their accounts.
In September, agents executed a search warrant and seized over $400,000 in cash and cryptocurrency in connection to the operation.
Meijer did reinstate the full previous balance of accrued points to affected customers, at a corporate loss they say exceeded $1 million.