- The online store of ‘Hanna Andersson’ was infected with magecart code for two months.
- The retailer says they can’t determine how many people got compromised, so everyone is notified.
- The credit card details that were stolen are already on sale on dark web marketplaces.
‘Hanna Andersson’, the popular children’s apparel maker from Portland, US, has been hit by Magecart actors. The retail company operates both physical stores and online shops, so this event concerns the latter. Apparently, malicious actors managed to plant their card skimming code in the Hanna Andersson payment page, and nobody figured it out until after two months had passed. This means that everyone who bought something from the particular online store between September and November may have had their payment data stolen by hackers. Most of these customers have already received the below notification.
Hannah Anderson was breached. Notices started going out there 15th.
Name, address, billing information, and credit card info is thought to be compromised.@troyhunt another one for your collection? pic.twitter.com/ervMIdaNEi
— Stryke the Orc (@stryke_the_orc) January 18, 2020
Hanna Andersson clarifies that not everyone who has made a purchase within this period is surely compromised. However, they have not managed to determine the actual number of people who have been impacted by the incident. As for what type of data was leaked, this includes the customer names, the shipping address, billing address, credit/debit card number, the CVV code, and the expiration date. Unfortunately, since the CVV code is included, actors may proceed to the ultimate exploitation step right away, which would be to use the stolen cards to buy stuff online. Thus, all Hanna Andersson customers are advised to monitor their credit card activity and report any suspicious activity to their card issuer.
Around the same period, between November 19 and 27, 2019, another retailer (Sweaty Betty) which was using the Salesforce Commerce Cloud platform was infected by magecart code. Security expert Jérôme Segura believes that this could be due to a vulnerability in the CMS. Right now, the particular product is used by more than 2800 websites, so the existence of a vulnerability that enables malicious actors to inject their card skimming code is a dire possibility.