Bodybuilding.com, a popular website for fitness and bodybuilding enthusiasts, announced last week that hackers were able to access its systems.
The Boise, Idaho-based online retailer is specialized in fitness articles, exercises, workouts, supplements, and is currently among the top 1,700 sites in Alexa, though it used to be top 1,000 a year ago.
The retailer said that it recently became aware of a security incident impacting its systems, but that it has no evidence that personal customer information was accessed or misused. Even so, because certain customer information may have been impacted, it decided to notify all current and former users and customers.
“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” the online retailer says.
The company concluded its investigation on April 12 and “could not rule out that personal information may have been accessed.” However, it claims that there is no evidence that such data was accessed or misused.
The company says that it took steps to understand the nature and scope of the issue immediately after discovering the incident. The retailer contracted external forensic consultants for the investigation, engaged with law enforcement, and is working with security experts to address flaws and remediate the incident.
While monitoring its systems for any unauthorized access, the retailer also decided to introduce additional security measures. Thus, Bodybuilding.com customers’ passwords will be reset upon their next log-in.
Potentially affected information, the retailer says, does not include full credit or debit card numbers, given that those are not stored when customers make purchases. Only the last four digits are stored for those users who opted in for storing the payment card number.
“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the retailer explains.
The intruders might have also had access to Bodybuilding.com usernames and passwords, the company adds.
The company advises its users to change their password for any other account on which they might have used the same or similar information as for the Bodybuilding.com account, as well as to review their accounts for suspicious activity. Users should also be cautious of unsolicited communications asking for personal data and should avoid clicking on links or downloading attachments from suspicious emails.
Related: California Introduces New Data Breach Notification Law
Related: Marriott Hit by Massive Data Breach: 500 Million Starwood Customers Impacted