Green Bay Packers online store breach exposes credit card data of thousands of fans

Thousands of college football fans had their credit card information stolen after hackers successfully breached the Green Bay Packers’ online store.

Details of the hack first came to light when the football team began counseling victims. by letter that there was a “data security incident” on the Packersproshop.com website that may have impacted their personal information.

The letter stated that on October 23, the football team was alerted to the presence of malicious code posted on the site by a third party. After learning of the hack, the team disabled all payment and ordering capabilities on the website, launched an investigation, and hired cybersecurity experts to help. The unnamed vendor that hosts and operates the store also had to remove malicious code, update passwords and confirm that there were no remaining vulnerabilities.

Then, on December 20, a forensic investigation revealed that malicious code may have allowed an authorized third party to view or obtain certain customer information entered during online ordering between October 3 and October 23. Including information that may have been stolen. name, shipping and billing addresses, email address, credit card type, credit card number, credit card expiration date and credit card verification number.

Although the exact number of casualties was not disclosed in the letter, the team said. in the file The Maine Attorney General’s Office said the number of victims was 8,514. Victims are offered 36 months of free credit monitoring and identity theft recovery services through Experian.

Although who was behind the attack or the methodology used to gain access has not been disclosed, Bleeping Computer reported Today, Dutch e-commerce security company Sansec, which discovered the Packers store hack in early October, discovered that a card skimming attack used YouTube’s oEmbed feature and JSONP callback to bypass content security policies.

It is clear that at some stage the attacker gained access to install the card skimming code, which raises security concerns, especially in this case where all credit card data was accessed.

“To avoid such schemes, websites using oEmbed must implement robust verification mechanisms to ensure that any data received comes from a legitimate source and does not contain malicious code,” Shobhit Gautam, in-house solutions architect at a cybersecurity and hacker programs. HackerOne Inc.SiliconANGLE reported via email. “It is critical for e-commerce sites and other online sellers to carefully review and implement third-party APIs and functions to ensure proper software supply chain hygiene. This also includes requiring third-party vendors and plugins to actively and continually evaluate their security posture, which can be done through activities such as pentests and vulnerability disclosure programs.”

Image: SiliconANGLE/Ideogram