Hackers Steal Customer Card Data From GameStop

Video gaming retail company GameStop appears to have been breached, with an unknown number of customers’ payment card details stolen.

Those details are thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the back of the card.

The breach is thought to affect only online customers at the website Gamespot.com, without affecting any of Gamestop’s high street stores.

The breach was first reported by KrebsOnSecurity, Friday. Krebs blogged about the incident and also contacted GameStop, who immediately acknowledged the breach. 

Two sources in the finance industry told Krebs they had received reports from a credit card processor indicating that GameStop had probably been compromised between September 2016 and February 2017. The credit card processor will undoubtedly have informed Gamestop; but the brevity of the ‘security update‘  on the GameStop website suggests it has only recently become aware of the breach.

“GameStop recently received notification from a third party,” says the statement, “that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”

Noticeably for a company that has lost customer data, there is no offer of free credit monitoring for those affected — just the statement, “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges.” Hopefully, that simply means that Gamestop doesn’t yet know which or how many of its customers were compromised.

What isn’t yet clear is the extent of the breach. It is assumed that malware intercepted the card details before they were encrypted onsite. This assumption is based on the belief that the CVV2 code was also stolen. Since companies are not supposed to store this code, it is assumed the malware stole the details before it was discarded.

However, the reality is that hackers seem to have been in the system for at least five months, unnoticed. It is perfectly feasible that they were able to steal more than just the card details. Christopher Boyd, a malware intelligence analyst at Malwarebytes, told SecurityWeek, “Even without considering the ramifications of swiped payment information, any compromise of a company selling video games to the public could prove to be a huge boon for a scammer. If they could obtain lists of titles purchased, for example, they could try phishing for specific games that require a login. Beyond that, they could identify certain titles as running on a gaming platform — again, with its own login credentials.

“From there, they could sell those accounts on at a profit, or use them to phish further gamers. In this case, the information currently available suggests scammers may ‘only’ have payment information, but the danger is there to cause untold problems for people if just a little more (seemingly harmless) data were to be included.”

At the very least the incident demonstrates just how hard it is for defenders to detect an attacker once inside the system. Once again it seems that the breach was only uncovered by a third-party when the attackers started to monetize the theft.