At Puffy, we understand that trust isn’t just given—it’s earned, especially after something goes wrong. Over the past few months, we've faced a serious situation involving a security breach that affected our website and, understandably, the confidence many of you had in us.
This post is our complete, transparent update on the breach: how it happened, what we’ve done to fix it, and what we’re doing next to rebuild your trust and ensure your safety.
What Happened: Key Dates and Events
February 4, 2025 – We hired a third-party contractor to implement Apple Pay, aiming to improve checkout for iOS users.
February 24, 2025 – The work ended unsuccessfully. Unbeknownst to us, malicious code was left in our site’s backend.
March 23, 2025 – Customers reported card issues (Thank you fellow Redditors!) . We immediately investigated and confirmed that malicious code had been injected.
April 1, 2025 – We disabled the site and migrated to WPEngine, a more secure hosting platform.
April 3, 2025 – We brought in AHCTS, a third-party cybersecurity firm, to audit, clean, and secure the site.
Addressing Concerns About “Phiton Nguyen Fraud”
During the fallout of the breach, a past legal case involving our CEO, Phiton Nguyen, has resurfaced in online forums under the phrase “Phiton Nguyen fraud.” It’s important to address this directly.
In 2018, Phiton Nguyen was involved in a civil real estate dispute, where a business partner filed a lawsuit during the breakdown of a joint investment. The matter was settled out of court, and no criminal charges or fraud convictions were ever filed. This case has nothing to do with the recent security breach at Puffy.
We understand that perception matters. While the case is publicly documented, it is entirely unrelated to the technical breach caused by a rogue third-party contractor. The phrase “Phiton Nguyen fraud” reflects a misunderstanding of the situation, and we hope this context helps clarify. You can see the official court docs here.
What We’ve Done to Secure Puffy
Independent Audit by AHCTS
We hired AHCTS, a respected cybersecurity firm, to perform a full forensic audit. They removed the malicious code, closed access vulnerabilities, and implemented multiple protective layers.
"The malicious code was removed, and the website was secured by the end of
that day. Additional remediation steps were taken, including the implementation of
industry-standard hardening measures and validation that no further unauthorized code remained
active on the platform." – AHCTS
PCI-DSS Compliance
We are now officially PCI compliant, which means we meet the global security standards required to process, store, and transmit credit card information safely. This includes encryption, data access controls, and activity monitoring.
Weekly Sucuri Security Scans
We use Sucuri to perform malware scans and file integrity monitoring on a weekly basis. This helps detect and remove threats before they can affect users.
A-Rated Security Headers
Our site now scores an A on SecurityHeaders.com, a service that analyzes web security settings like HTTPS enforcement, content security policies, and protections against script injections.
Cloudflare Firewall & Monitoring
We’ve implemented Cloudflare’s firewall and Radar tools to monitor traffic, block bots, and provide protection against denial-of-service attacks and unauthorized access.
What’s Next for Puffy
Shopify Migration
We are in the final stages of migrating to Shopify, a best-in-class e-commerce platform with built-in security, automated updates, and PCI compliance by default.
Transparency Tracker
We’re launching a Transparency Tracker page that will publish:
Weekly malware scan results
Status of reported card issues (goal: 0)
Progress on Shopify migration and other security improvements
Customer Trust Panel
We’re building a Customer Trust Panel—a group of real users who will provide feedback, preview upcoming changes, and help us ensure Puffy remains accountable to our community.
Frequently Asked Questions
Was my credit card data stolen?
If you made a purchase between February 24 and March April 1, your data may have been at risk. Many customers were unaffected, but we recommend monitoring your accounts and requesting a new card if you feel unsure.
Did the CEO cause the breach?
No. The breach was caused by a third-party contractor’s malicious code. The CEO was not involved in the technical issue.
Is this breach connected to the “Phiton Nguyen fraud” case?
No. That case was an unrelated civil matter from 2018 involving a real estate dispute. It is not connected to Puffy or this breach.
Is the site safe now?
Yes. The site has been independently audited, cleaned, and secured. It is also PCI compliant and actively monitored.
Will I be reimbursed if I was affected?
Yes, your bank should reimburse you for the charges. If they do not please contact Puffy and we will help resolve this.
How can I stay informed?
Our Transparency Tracker (launching soon) will publish updates weekly. You can also subscribe to our newsletter for notifications.
Final Thoughts
We know this situation caused real stress and frustration. For many of you, it wasn’t just a security problem—it felt like a betrayal of trust. We want to say, clearly and sincerely: we’re sorry.
You deserve better, and we’re doing everything we can to make sure this never happens again.
If you’ve been waiting to see if we’ve changed, we hope this is the beginning of that answer. If you’re still on the fence, we’ll keep showing up—week by week—with the clarity and accountability you deserve.
— The Puffy Team
