Framework Repair Center Data Breach

General Topics
1

I couldn’t find any official response online except from the email I have gotten, this breach seems to only have affected people who tried to RMA or something similar to repairs in Europe and it went through LMR. Here is the full email:

Dear Valued Framework Customer,

We have been informed by our repair center partner LMR Germany that due to a vulnerability in their web infrastructure, some personally identifiable information (PII) relating to your Framework return or repair may have been visible temporarily to unauthorized viewers.

We care deeply about your privacy and have a core focus of building products in a more respectful manner, so we are disappointed to report this potential breach of information. We have full details on the incident below, and have used this as an opportunity to make our operating procedures more robust.

What happened?

On June 16th, 2025 our repair partner LetMeRepair DE, our partner for repair services and return processing in the EU, informed us of the following:

Early on 11 June 2025, following a routine scan, our web host provider identified a possible vulnerability in certain of our web pages. We suspended the websites to conduct a full assessment and to eliminate the risk to website users.

We subsequently established that our webshop, which we run through a reputable webshop system was possibly subject to unauthorised access. As a result, customer data such as names, email addresses and physical mailing addresses and phone numbers may have been visible. No payment information, passwords or other sensitive information was visible.

We implemented a patch for the vulnerability, and on 12 June 2025 restored the websites from secure backups, and we are informing every webshop customer and the data protection authorities.

Within the same environment, the ftp folder used for the data transfer to your company was hosted.

What information was visible?

While LMR was not able to determine if unauthorized viewers accessed the information, it is possible that the following personally identifiable information (PII) relating to your Framework return or repair may have been visible temporarily:

Full name
Address
Telephone number
Email address

What steps have been taken?

As indicated by LMR, a patch was implemented to address the vulnerability, and on June 12th, 2025 our RMA and Reverse Logistics team will continue to work with LMR to understand any further guardrails within our shared systems to prevent a similar issue from occurring in the future.

We sincerely apologize for the concern this may have caused.

4 Likes
2

Hey there,
i am affected aswell.
my questions to the framework team:
Did that also happen to you, what will be done about it and what will framework do in the future that partners will surely handle customer data?

3

This is a legally required disclosure, it’s an pretty good indicator that Frameworks partner in this case have taken every reasonable precaution. Their exist no reason to believe based on this email that any user data was leaked, or that the partner acted in knowing neglect of Frameworks customers data security.

2 Likes
4

i understand that it is legally required, but in the email It’s still worded as “may”
i understand it as there could be leaks or not.
i want to know if Framework is certain or not that there are no leaks!

5

There is only one way to be certain that no data leaked: Didn’t have data to leak in the first place. :man_shrugging:

3 Likes
6

The problem with digital data is that when it is “taken,” it is still there. So they may know someone got in, but may not be able to tell if anything was actually “taken.” Also, they may not even know whether or not anyone got in.
They may have just discovered a way in, but have no way to know if anyone else found that way in. In that case, they may know what data was exposed by that vulnerability, but have no idea if anyone actually came in that way and copied any of the exposed data.

In general, you should just assume that whatever the exposed data was, that it was stolen, and then take steps to protect yourself.

3 Likes
7

Okay, so you say to me. A person that uses the internet not every day that I have to protect my own data even if I trusted it to a company? How the fuck should that work?
Always a fake name and a fake home address?
Yes I am already sure that way data stolen so that’s why I am here and trying to get a response from framework!
I live in the EU there are very strict data protection laws and if framework can’t be certain to accnollage these or any sub company i am sure this will be a class action lawsuit or something like that.

8

Unfortunately, data leaks/theft is just the reality in this digital world. What you do to “protect yourself” after a breach will depend on what data was exposed and what your comfort level is. Maybe all you do is be a bit extra wary of potential spam calls, texts, and emails. Maybe you monitor your credit a little more closely, maybe you change passwords and such on critical accounts. Again, this will depend on your comfort level and what data was potentially stolen.

This is a community forum. If you want a response from Framework, the best bet would be to reach out to support directly.

You asked how you could be sure if there had been a leak or not, when all the report said is there “may” have been. I just said they may not even know for sure at this point, but it’s possible, so the safest thing is to act as if there had been. That’s all.

2 Likes
9

I understand that you are concerned but your engagement here is poor.

1 Like
10
Edit - reconsidered this

First, the information that was vulnerable, if someone found the vulnerability and broke in, is minor. Really minor. In my opinion.

Full name
Address
Telephone number
Email address

Name, address, phone number. Was this not published in phone books in the past, and online directories now. Though, people now have cell phones, which are not by default in free public directories. Usually available if someone is willing to pay money. Email address? Ok. All together, not worth more than a moment in my mind.

To be honest, I’m not sure what you’re looking for. As you seem to understand the situation already. Perhaps, partly, you’re just generally annoyed that the potential leak happened? Understandable.

Way way more than I should have written. Click to show (save yourself, don't).

Did they not say?

What steps have been taken?

As indicated by LMR, a patch was implemented to address the vulnerability,

Again, did they not say?

and on June 12th, 2025 our RMA and Reverse Logistics team will continue to work with LMR to understand any further guardrails within our shared systems to prevent a similar issue from occurring in the future.

It would take time to assess if there are any “further guardrails” that they could implement, demand their partner implement, or if they won’t, find a different partner who will.

They said. And you did previously say you understood.

LMR was not able to determine if unauthorized viewers accessed the information

“i want to know if Framework is certain or not”
They are not.

As others have said. With computer systems, as with so many other things in life, there are situations where you will not know, can not know, some things you may wish to know.

I discover my back door ajar, did some pick the lock? Did I just fail to pull it tight enough to click the latch, then the wind blew it open? Can not possibly know.

The questions, which you’ve posted, have already been answered.

So yeah. Perhaps your really just annoyed? Want to vent? Want blood?

I understand you may just not feel the things FW said and did are satisfactory, to you, but the questions you asked were already answered. So, if unsatisfactory to you, you would need to say so. Then perhaps change your question to something like “What additional things will you do about this, considering that your stated actions are unsatisfactory to me?”

Yes. And this is always been the way it is, with everything. No one will truly look out for your interest but yourself. But it has zero to do with the internet. Many of the most massive data breaches have been from brick-and-mortar retailers. The info of millions and millions of people. Government agencies have had breaches as well.

You protect yourself by using a credit card that offers good fraud protection. Consider a card that allows you to generate limited card numbers. Limiting in time valid, retailer it’s authorized for, or amounts it will accept. Debit / bank card tend to have fewer and weaker protections, if nothing else because if there is fraud you are asking them to return your money, rather than contesting a charge you have not paid.

A false name is exactly what I’ve done for years. For purchases that I consider small and / or insignificant to me. I wouldn’t for an item that is expensive to me, but for a lot of things, they don’t need a name, they don’t need a phone number, just a payment that goes through and an address to send it to. And over the years I’ve seen many companies sell my name & address to others to market junk to me. I always knew who sold my info, as I used a different middle initial to tell them apart.

Another good thing to do, live in the EU, where they have better consumer protections. You got that one already. Perhaps just for free, if you were born there.

Should we have to do any of these things? Certainly not. But this is life & the world we live in.

Did they violate something in the data protection laws? If they did, tell us. So that others can join in. I don’t think having discovering a vulnerability violates the laws.

Though again, it’s name, address, phone, email. Potentially, maybe, if someone found the vulnerability while it was available and broke in.

Why did I write all this? Damn, I don’t know. Perhaps to delay doing something unrelated that I’m not looking forward. Appologies to anyone who clicked this. :dotted_line_face:

3 Likes
11

:rofl: idk what you mean

12

hey thanks for your detailed answer.
i value my personal data!
i dont know how much things work but if i buy something from a company that is worth 1500EUR i expect from them that they handle my personal data like it should be.
I expect from a company like Framework that they do good screening for their sub companys or things like that.
that these things wont happen again and i researched and it happend in 2023 to framework. so my question is:
IS MY DATA SAFE AT FRAMEWORK AND ARE THEY FINALY DOING SOMETHING?
(english is my second language sorry for spelling and grammar)

1 Like
13

I don’t agree that the data that could have leaked is considered minor. That is enough data for bad actors to connect these pieces to other available online data and create targeted fishing attacks, phone swaps, doxxing/physical threats and probably more. This isn’t the era of phone books, it’s the era of digital identity. The comparison to old phone books is a flawed analogy. In the past, that information was relatively static and difficult to exploit on a mass scale. Today, this data is the key to unlocking your entire digital life. Bad actors aren’t just looking for a single piece of information, they are looking for data points to connect and build a comprehensive profile of their targets.

3 Likes
14

Does Framework ship to PObox (for example)? If that’s possible, I guess it’s one of the data point that could be shielded.

15

Definitely a fair point there

16

No. Framework requires legitimate residential or business addresses for loss prevention and legal compliance.

17

And in the case of repair centres (given this thread), do they take / allow PO Box? Because if not, it would sound the the privacy of the address is then at the mercy of the safeguards of each repair centre.

18

To my knowledge, the address requirements for ordering and RMAing are the same. The same loss prevention and compliance reasons would apply.

Framework’s email addressed this:

19

Thanks. Guess it’s TBD then.

20

thanks for claryfing.
will there be a follow up email from framework?

1 Like