Video gaming retail company GameStop appears to have been breached, with an unknown number of customers’ payment card details stolen.
Those details are thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the back of the card.
The breach is thought to affect only online customers at the website Gamespot.com, without affecting any of Gamestop’s high street stores.
The breach was first reported by KrebsOnSecurity, Friday. Krebs blogged about the incident and also contacted GameStop, who immediately acknowledged the breach.
Two sources in the finance industry told Krebs they had received reports from a credit card processor indicating that GameStop had probably been compromised between September 2016 and February 2017. The credit card processor will undoubtedly have informed Gamestop; but the brevity of the ‘security update‘ on the GameStop website suggests it has only recently become aware of the breach.
“GameStop recently received notification from a third party,” says the statement, “that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”
Noticeably for a company that has lost customer data, there is no offer of free credit monitoring for those affected — just the statement, “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges.” Hopefully, that simply means that Gamestop doesn’t yet know which or how many of its customers were compromised.
What isn’t yet clear is the extent of the breach. It is assumed that malware intercepted the card details before they were encrypted onsite. This assumption is based on the belief that the CVV2 code was also stolen. Since companies are not supposed to store this code, it is assumed the malware stole the details before it was discarded.
However, the reality is that hackers seem to have been in the system for at least five months, unnoticed. It is perfectly feasible that they were able to steal more than just the card details. Christopher Boyd, a malware intelligence analyst at Malwarebytes, told SecurityWeek, “Even without considering the ramifications of swiped payment information, any compromise of a company selling video games to the public could prove to be a huge boon for a scammer. If they could obtain lists of titles purchased, for example, they could try phishing for specific games that require a login. Beyond that, they could identify certain titles as running on a gaming platform — again, with its own login credentials.
“From there, they could sell those accounts on at a profit, or use them to phish further gamers. In this case, the information currently available suggests scammers may ‘only’ have payment information, but the danger is there to cause untold problems for people if just a little more (seemingly harmless) data were to be included.”
At the very least the incident demonstrates just how hard it is for defenders to detect an attacker once inside the system. Once again it seems that the breach was only uncovered by a third-party when the attackers started to monetize the theft.
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
- Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
- LeapXpert Banks $22M Funding to Secure Corporate Messaging With Consumer Apps
- Blockchain Security Firm True I/O Raises $9 Million
- Spera Banks $10 Million to Tackle Identity and Access Sprawl
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
