Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Hackers Steal Customer Card Data From GameStop

Video gaming retail company GameStop appears to have been breached, with an unknown number of customers’ payment card details stolen.

Those details are thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the back of the card.

Video gaming retail company GameStop appears to have been breached, with an unknown number of customers’ payment card details stolen.

Those details are thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the back of the card.

The breach is thought to affect only online customers at the website Gamespot.com, without affecting any of Gamestop’s high street stores.

The breach was first reported by KrebsOnSecurity, Friday. Krebs blogged about the incident and also contacted GameStop, who immediately acknowledged the breach. 

Two sources in the finance industry told Krebs they had received reports from a credit card processor indicating that GameStop had probably been compromised between September 2016 and February 2017. The credit card processor will undoubtedly have informed Gamestop; but the brevity of the ‘security update‘  on the GameStop website suggests it has only recently become aware of the breach.

“GameStop recently received notification from a third party,” says the statement, “that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”

Noticeably for a company that has lost customer data, there is no offer of free credit monitoring for those affected — just the statement, “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges.” Hopefully, that simply means that Gamestop doesn’t yet know which or how many of its customers were compromised.

What isn’t yet clear is the extent of the breach. It is assumed that malware intercepted the card details before they were encrypted onsite. This assumption is based on the belief that the CVV2 code was also stolen. Since companies are not supposed to store this code, it is assumed the malware stole the details before it was discarded.

However, the reality is that hackers seem to have been in the system for at least five months, unnoticed. It is perfectly feasible that they were able to steal more than just the card details. Christopher Boyd, a malware intelligence analyst at Malwarebytes, told SecurityWeek, “Even without considering the ramifications of swiped payment information, any compromise of a company selling video games to the public could prove to be a huge boon for a scammer. If they could obtain lists of titles purchased, for example, they could try phishing for specific games that require a login. Beyond that, they could identify certain titles as running on a gaming platform — again, with its own login credentials.

“From there, they could sell those accounts on at a profit, or use them to phish further gamers. In this case, the information currently available suggests scammers may ‘only’ have payment information, but the danger is there to cause untold problems for people if just a little more (seemingly harmless) data were to be included.”

At the very least the incident demonstrates just how hard it is for defenders to detect an attacker once inside the system. Once again it seems that the breach was only uncovered by a third-party when the attackers started to monetize the theft.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.