nutribullet pic

Hackers Steal Credit Card Data From NutriBullet Customers Through Magecart Attacks

The attacks, which targeted NutriBullet’s official website, were acknowledged by the company but it’s not clear whether affected customers will be notified.

Hackers were able to obtain customers’ credit card numbers, billing addresses, names and more personal information from blender manufacturer NutriBullet’s website several times over the past two months, according to a report from security firm RiskIQ.

Magecart hackers, who target online shopping cart systems using malware that “skims” credit card data from websites, were behind the attacks. The data was scraped and stored on a third-party server after the hackers were able to inject the malware on payment pages. From there, the attackers were able to sell the credit card information on the dark web, RiskIQ reported.

The hackers still have access to NutriBullet’s website infrastructure, despite the fact that the company combated the hacking by removing the malicious code each time, according to the report. NutriBullet’s chief information officer Peter Huh confirmed to TechCrunch that the intrusions had occurred and that the company had launched investigations into the incident.

However, Huh would not say whether customers would be notified about their credit card information being stolen. NutriBullet will “work closely with outside cybersecurity specialists to prevent further incursions,” Huh told TechCrunch.

Yonathan Klijnsma, the head of threat research for RiskIQ, said that the research team reached out to NutriBullet via its support channel and LinkedIn less than 24 hours after detecting an attack on Feb. 20. But as of publication of the report on March 18, the company had not responded to RiskIQ.

“The compromise is ongoing, and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers,” Klijnsma wrote.

Lamar Bailey, the senior director of security research at Tripwire, said that the findings by RiskIQ show that websites, particularly those that are serving as “market fronts,” must be under strict change control. This means that any modifications to the website’s code should be approved or expected. If they are not, those changes to the code should not be allowed to go through and prompt an immediate investigation, Bailey said.

Companies’ failure to responsibly disclose cybersecurity issues or hacks also remains “a major issue,” Bailey said. He added that all sites should provide a contact page dedicated to security concerns.

“Emailing or calling support is often very frustrating and leads to a dead-end,” Bailey said. “The front line support engineers don’t understand the gravity of the situation or have no idea how to route the concerns to the correct group. We often try to contact company leadership via email or LinkedIn, but many of these attempts go unanswered because they are assumed to be spam or sales tactics.”

Photo by Your Best Digs / Flickr Creative Commons

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.