Bodybuilding.com data breach: users prompted to reset passwords

by Olivia Morelli - - 2019-04-24

A malicious phishing email allowed attackers to breach Bodybuilding.com internal network

Bodybuiling.com data breach Bodybuiling.com suffers a cyberattack: hackers managed to access internal networks via a phishing email

One of the largest online fitness and bodybuilding stores Bodybuilding.com has announced^[1] data breach that has been up on investigation since February 2019. While the cyber attack was stopped, it is known that the data was exposed, although it is not clear whether it was compromised by the attackers.

Soon after the news broke out, the company hired third-party forensic investigators, although they as well could not determine whether or not the customer data was breached.

The incident started back in July last year when at least one of the employees fell for a phishing email and opened a malicious attachment. Consequently, the malicious actors managed to breach internal networks in February 2019.

Although it is not known when Bodybuilding.com detected the breach, the company went public with the incident on April 19, when it announced that the internal analysis has come to an end on April 12.

No payment information or Social Security numbers affected by the breach

In its official page, Bodybuilding.com explained that there were no signs of the leaked data. The company cannot state that information gathered personal data and misused it as there has been no evidence of such activity. However, the company is still notifying all potential victims as a measure of precaution:

Bodybuilding.com recently became aware of a data security incident that may have affected certain customer information in our possession. We have no evidence that personal information was accessed or misused, but we are directly notifying all current and former users and customers out of an abundance of caution.

Even if hackers managed to steal the information, the company prompted all its users to reset passwords that they used for their online account.

However, the login credentials are not the only data that might have been breached. According to Bodybuilding.com, bad actors could have also stolen such information as name, phone number, email, address, birth date, shipping or billing address, billing/shipping address and any information included in BodySpace profile.

Despite that, the company said that most of this information is already reachable by default as per Terms and Conditions:

Note that BodySpace profile information is generally already publicly visible to others, as noted in our applicable Privacy Policy and Terms of Use available here: https://www.bodybuilding.com/help?legal-and-privacy.

Additionally, as the company does not collect full payment details, no credit card data could be in danger, as well as social media account passwords and Social Security numbers.

Bodybuiling.com is actively working on preventing future breaches

Bodybuiling.com stated that it is taking all precautionary measures that are necessary to deal with the situation and avoid the repeated attack in the future. The company claims that it has informed the law enforcement agencies about this incident and is also cooperating with highly-experienced specialists to spot any other flaws possible and avoid harm:

Upon discovering the incident, we took steps to understand the nature and scope of the issue, and brought in external forensic consultants that specialize in cyber-attacks. We have engaged with law enforcement and are working with leading security experts to address any vulnerabilities and remediate the incident.

Additionally, the online store is warning users about phishing emails that might come to all users' inboxes, as it is highly publicized in the media, and crooks are quick to utilize such an incident. For example, before the GDPR^[2] data protection law was implemented, bad actors used the fact to make users click on malicious links or give away their sensitive information.^[3]

Bodybuilding.com is very popular among computer users, as it receives more than 30 million visits every month. This website was never popular in the eye site of news websites and researchers as it has not experienced any similar activities in the past. The only flaw that the online store has ever experienced was discovered by a forum user who claimed^[4] that he or she could upload HTML files that included JavaScript links, which would allow cross-site scripting^[5] attacks.

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ Data Incident. Bodybuilding.com. Help Center.
^ Danny Palmer. What is GDPR? Everything you need to know about the new general data protection regulations. ZDNet. Technology News, Analysis, Comments and Product Reviews.
^ Lucia Danes. Cybercriminals using GDPR implementation to scam Airbnb clients. 2-spyware. Cybersecurity news and articles.
^ Major Security Hole Discovered. Bodybuilding.com Official forums.
^ What is cross site scripting (XSS). Imperva. Cybersecurity company.