Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Bodybuilding.com Discloses Data Breach

Bodybuilding.com, a popular website for fitness and bodybuilding enthusiasts, announced last week that hackers were able to access its systems. 

Bodybuilding.com, a popular website for fitness and bodybuilding enthusiasts, announced last week that hackers were able to access its systems. 

The Boise, Idaho-based online retailer is specialized in fitness articles, exercises, workouts, supplements, and is currently among the top 1,700 sites in Alexa, though it used to be top 1,000 a year ago. 

The retailer said that it recently became aware of a security incident impacting its systems, but that it has no evidence that personal customer information was accessed or misused. Even so, because certain customer information may have been impacted, it decided to notify all current and former users and customers. 

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” the online retailer says

The company concluded its investigation on April 12 and “could not rule out that personal information may have been accessed.” However, it claims that there is no evidence that such data was accessed or misused. 

The company says that it took steps to understand the nature and scope of the issue immediately after discovering the incident. The retailer contracted external forensic consultants for the investigation, engaged with law enforcement, and is working with security experts to address flaws and remediate the incident.

While monitoring its systems for any unauthorized access, the retailer also decided to introduce additional security measures. Thus, Bodybuilding.com customers’ passwords will be reset upon their next log-in.

Potentially affected information, the retailer says, does not include full credit or debit card numbers, given that those are not stored when customers make purchases. Only the last four digits are stored for those users who opted in for storing the payment card number. 

“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the retailer explains. 

The intruders might have also had access to Bodybuilding.com usernames and passwords, the company adds. 

The company advises its users to change their password for any other account on which they might have used the same or similar information as for the Bodybuilding.com account, as well as to review their accounts for suspicious activity. Users should also be cautious of unsolicited communications asking for personal data and should avoid clicking on links or downloading attachments from suspicious emails.

Related: California Introduces New Data Breach Notification Law

Related: Marriott Hit by Massive Data Breach: 500 Million Starwood Customers Impacted

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.