LANSING, Mich — A 22-year-old Ottawa County man is considered the kingpin in a criminal enterprise surrounding a Meijer awards theft that impacted hundreds of Michiganders.
The total corporate loss in the mPerks scam totaled more than $1 million, Michigan Attorney General Dana Nessel said Thursday.
Nearly a month ago, 13 ON YOUR SIDE alerted the state attorney general's office that scammers were accessing Meijer mPerks accounts. Countless viewers shared with us via email, phone call and on social media that their mPerks points had been wiped.
Since then, her office and a criminal investigative unit learned Meijer customers were impacted across the state and in other states, too.
Meijer said all verified theft victims have had their points reimbursed. A representative shared this statement Thursday:
"We appreciate the efforts of the Michigan State Police and the Attorney General’s FORCE Team, in partnership with our Asset Protection team, to bring this individual to justice. This situation highlights the importance of changing passwords often and not using the same password for multiple platforms. We encourage any customer who believes they were a victim of this individual’s actions to contact Meijer customer care at 1-877-363-4537."
The main suspect Nicholas Mui, of Grand Haven, is charged with criminal enterprise (a 20-year felony), using a computer to commit a crime (a 20-year felony), and seven charges of identity theft (each count a 5-year felony).
Authorities accuse him of using customers' login credentials on the dark web that were likely obtained in previous data breaches to access users' mPerks accounts.
Mui sold those login credentials online, state investigators allege. Those who bought the mPerks logins used the points balance to fund their own purchases from Meijer, both online and in-person.
This crime is called "credential stuffing." Simply speaking, scammers compile large amounts of comprised logins and employ bots online to target websites and apps en masse.
State investigators do not believe Meijer's infrastructure was directly breached.
Authorities seized more than $20,000 in cash from his home and around $460,000 in digital currency.
State regulators executed 12 search warrants.
"This theft operation affected hundreds of Meijer customers and mPerks account holders, and cost the grocery chain more than one million dollars," Nessel said. "It is our belief we apprehended the main operative and driver of this sophisticated, wide-spread criminal enterprise, and I'm grateful for the partnership between my FORCE Team, the Michigan State Police and Meijer."
Mui is due back in court next week.
Michigan AG Nessel urged Michiganders to change their passwords and logins frequently, and don't use the same credentials across counts.
"Consumers should heed this warning and exercise smart password discipline," Nessel said. "If you are notified of a data breach, you should be changing your login credentials not just with the breach point platform, but also for any other accounts for which you use the same login credentials."
Last month, 13 ON YOUR SIDE uncovered scammers had been getting into Meijer Customers' mPerks accounts. Once they did, they would access the mPerks points, which build up into cash rewards and can be redeemed at checkout.
mPerks is the loyalty and rewards incentive program offered by the Meijer grocery chain. Customers accrue store credit points into their individual accounts by making purchases at the grocer. The points accrued can be used as cash value towards purchases.
The thieves would use them to buy everything from gasoline to frozen food, even cologne.
In December, Meijer told 13 ON YOUR SIDE the breach affected about 0.5 percent of its customers.
While Meijer doesn't disclose how many total users are on their rewards program, the company said in January 2023 they have "millions of total mPerks users."
For context, 0.5 percent of 2 million is 10,000.
Meijer once again stressed the importance of using a unique password "that has never been used with Meijer or any other digital account."
Multiple others have posted on social media claiming similar situations.
To check if your points were used, check out the point history in the mPerks app. Also, search through in-store purchases to see if there are any purchases you did not make.
To report fraudulent activity to Meijer, call 1-877-363-4537.
►Make it easy to keep up to date with more stories like this. Download the 13 ON YOUR SIDE app now.
Have a news tip? Email news@13onyourside.com, visit our Facebook page or Twitter. Subscribe to our YouTube channel.