SelectBlinds, a popular online retailer of blinds and shades, has disclosed a security breach that has impacted 206,238 of its customers.
Hackers successfully managed to embed malware onto the company's website, capable of stealing sensitive information, including credit card details, names, addresses, phone numbers, and login credentials.
In breach notification documents filed in the states of California and Maine, SelectBlinds described how on September 28 2024 it discovered that malware had been present on its website's checkout page since at least January 7 2024.
Customer contact details falling into the hands of malicious hackers is bad enough, but the fact that complete payment card details - including card numbers, expiry dates, and CVV security codes - were also taken during the attack is particularly serious.
For months sensitive payment information was scraped unnoticed from online customers as they filled out the SelectBlinds' checkout page to make their purchases. The data is likely to be sold via the dark web to other cybercriminal gangs for the purposes of fraud.
SelectBlinds says it has now removed the malware from its website, and is enforcing a password reset for all user accounts. Users attempting to log into their accounts will find themselves locked out and prompted to create a new password.
Affected clients of SelectBlinds would be wise to keep a close eye on their payment card statements to see if there are any unusual transactions. In addition, the company is urging customers to ensure that they are not using the same passwords anywhere else on the internet.
Credit-card skimming on website checkout pages is not a new threat.
Companies whose customers have been impacted by similar attacks in the past include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsDecember 19, 2024
November 14, 2024