Connect with us

Hi, what are you looking for?



Topps Customer Data Exposed After Website Hack

Topps this week sent out emails informing users that its website was hacked earlier this year and that personal information, including credit card data, was stolen.

Topps this week sent out emails informing users that its website was hacked earlier this year and that personal information, including credit card data, was stolen.

The iconic maker of baseball another sports trading cards sent email notifications to potentially impacted users to inform them on the data breach and that personal information submitted to the Topps website ( might have been compromised. According to the email, “one or more intruders” gained to sensitive information via unauthorized access to the company’s website.

The notification said that compromised data includes names, addresses, email addresses, phone numbers, credit card and debit card numbers, card expiration dates, and card verification numbers. Impacted customers are those who placed orders through the Topps website between around July 30 and October 12, 2016.

The company also said that the information submitted by users who used PayPal to complete transactions might have not been compromised. However, the company is notifying these users as well of the incident.

Topps also told customers that, once it became aware of the incident, it engaged with a security firm to examine its network, and worked with the security firm and with its development and hosting companies to improve the security of its system.

“We stopped the incident and continue to work with our security firm to help prevent a similar incident from happening again,” the company said.

Some Topps customers say they already noticed fraudulent activity on their bank accounts. Fraudulent purchases were made using their credit card numbers after they used the compromised credit cards to buy items through the Topps Now platform.

Advertisement. Scroll to continue reading.

This is the second security incident involving Topps to have been made public this year, after MacKeeper security researcher Chris Vickery revealed in June that a database was exposing Topps mobile app fans’ data. The database was found to be a MongoDB installation that was open on port 27017.

Vickery attempted to inform the Topps support team on the matter, but his emails ended up in spam, because “an employee thought he was trying to sell something,” reported at the time. It wasn’t until after got involved and contacted Topps headquarters on the phone that the issue was addressed.

The newly detailed incident was apparently discovered and reported by blowoutcards forum member houdini. The forum member says that the incident was brought to Topps’ attention on October 12, because the “owner of BO was in a meeting with Topps” at the time.

Related: Noodles & Company Confirms Payment Card Breach

Related: Target’s Data Breach: The Commercialization of APT

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...