Topps this week sent out emails informing users that its website was hacked earlier this year and that personal information, including credit card data, was stolen.
The iconic maker of baseball another sports trading cards sent email notifications to potentially impacted users to inform them on the data breach and that personal information submitted to the Topps website (www.topps.com) might have been compromised. According to the email, “one or more intruders” gained to sensitive information via unauthorized access to the company’s website.
The notification said that compromised data includes names, addresses, email addresses, phone numbers, credit card and debit card numbers, card expiration dates, and card verification numbers. Impacted customers are those who placed orders through the Topps website between around July 30 and October 12, 2016.
The company also said that the information submitted by users who used PayPal to complete transactions might have not been compromised. However, the company is notifying these users as well of the incident.
Topps also told customers that, once it became aware of the incident, it engaged with a security firm to examine its network, and worked with the security firm and with its development and hosting companies to improve the security of its system.
“We stopped the incident and continue to work with our security firm to help prevent a similar incident from happening again,” the company said.
Some Topps customers say they already noticed fraudulent activity on their bank accounts. Fraudulent purchases were made using their credit card numbers after they used the compromised credit cards to buy items through the Topps Now platform.
This is the second security incident involving Topps to have been made public this year, after MacKeeper security researcher Chris Vickery revealed in June that a database was exposing Topps mobile app fans’ data. The database was found to be a MongoDB installation that was open on port 27017.
Vickery attempted to inform the Topps support team on the matter, but his emails ended up in spam, because “an employee thought he was trying to sell something,” DataBreaches.net reported at the time. It wasn’t until after DataBreaches.net got involved and contacted Topps headquarters on the phone that the issue was addressed.
The newly detailed incident was apparently discovered and reported by blowoutcards forum member houdini. The forum member says that the incident was brought to Topps’ attention on October 12, because the “owner of BO was in a meeting with Topps” at the time.