Skip to Content
Security & privacy

6,500 online stores hacked! Was your credit card info leaked?

Hacking a website is more work than you’d expect. That’s why you usually only see individual websites get attacked during data breaches.

A sweeping hacking campaign with multiple targets is a much trickier feat to pull off, but if a website hosting platform is vulnerable enough, every website attached to it is vulnerable too.

It’s bad enough to see one website get hacked, but how about thousands of websites at once? That’s what happened when a popular e-commerce platform was targeted by hackers; putting the financial information of millions of shoppers in harm’s way. If you visited any of these compromised websites, you may want to think about calling your bank:

More than 6,500 websites hacked in one fell swoop

According to new reports from ZDNet, hackers managed to breach the servers of Volusion — a popular e-commerce platform that hosts thousands of online stores and merchants. The attack specifically went after credit card and payment data entered by customers. The infected websites reportedly scanned this data and transmitted it for collection.

The hackers managed to pull of their heist by implanting lines of malicious code into a vulnerable server owned by Volusion. This caused a domino effect where the malicious code was pushed to all of the websites hosted by the company. At present, the code can still be found on Volusion’s website.

The malicious code itself is referred to by researchers as a “Magecart Attack,” which functions similarly to a credit card skimmer you’d find on an ATM or gas pump. When embedded in a web page, it scans for numbers and letters entered into fields on the page by the user. This includes credit card numbers, security codes and expiration dates.

Notable Volusion clients include the following e-commerce websites:

  • Sesame Workshop’s official Sesame Street store
  • The official Bob Ross store.
  • Pinky Paradise — a popular cosmetic contact lens store
  • My Vapor Store — an online vape shop
  • Arms Unlimited — a Las Vegas-based firearms store

Customers who have visited any of the affected websites are urged to check their bank statements and contact relevant credit agencies to secure their information.

Am I vulnerable to this data breach?

Volusion has identified more than 6,500 sites affected by the breach, but researchers suspect the issue may be larger than initially expected. This is because Volusion’s servers still contain the malicious code, which has been pushed to all of the websites hosted by the platform.

To find out if you’re affected, Publicwww has compiled a list of Volusion-hosted sites containing the malicious code. Their list is searchable and you can type the name of any e-tailers you’ve visited to see if they appear to be compromised. The list includes all websites that contain the corrupted code, so if the site you visited shows up in the search, you may be at risk. Click or tap to see the list of affected websites.

If you did happen to make a purchase from any compromised merchants, the first thing you should do is call your bank to report a potential fraud incident. They can help monitor your account for unauthorized activity and possibly help you recover lost money.

Additionally, contacting one of the major credit reporting agencies for a credit freeze is a smart way to prevent unauthorized access to your identity. You may also want to talk to them about credit monitoring until the issue is fully resolved.

For the time being, you may want to use the link above to check any online stores for compromise before you buy. Doing so can save you the heartache of a stolen credit card.

Update: Volusion has responded with a statement in regards to the incident:

“Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. We are coordinating with authorities on this matter, and continue to enhance our systems that detect and prevent unauthorized access to user accounts.
 
A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter.
 
Volusion has taken action to help secure accounts, and we are continuing to monitor this matter in order to assure the security of our merchants.”

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me