A malicious phishing email allowed attackers to breach Bodybuilding.com internal network
One of the largest online fitness and bodybuilding stores Bodybuilding.com has announced data breach that has been up on investigation since February 2019. While the cyber attack was stopped, it is known that the data was exposed, although it is not clear whether it was compromised by the attackers.
Soon after the news broke out, the company hired third-party forensic investigators, although they as well could not determine whether or not the customer data was breached.
The incident started back in July last year when at least one of the employees fell for a phishing email and opened a malicious attachment. Consequently, the malicious actors managed to breach internal networks in February 2019.
Although it is not known when Bodybuilding.com detected the breach, the company went public with the incident on April 19, when it announced that the internal analysis has come to an end on April 12.
No payment information or Social Security numbers affected by the breach
In its official page, Bodybuilding.com explained that there were no signs of the leaked data. The company cannot state that information gathered personal data and misused it as there has been no evidence of such activity. However, the company is still notifying all potential victims as a measure of precaution:
Bodybuilding.com recently became aware of a data security incident that may have affected certain customer information in our possession. We have no evidence that personal information was accessed or misused, but we are directly notifying all current and former users and customers out of an abundance of caution.
Even if hackers managed to steal the information, the company prompted all its users to reset passwords that they used for their online account.
However, the login credentials are not the only data that might have been breached. According to Bodybuilding.com, bad actors could have also stolen such information as name, phone number, email, address, birth date, shipping or billing address, billing/shipping address and any information included in BodySpace profile.
Despite that, the company said that most of this information is already reachable by default as per Terms and Conditions:
Additionally, as the company does not collect full payment details, no credit card data could be in danger, as well as social media account passwords and Social Security numbers.
Bodybuiling.com is actively working on preventing future breaches
Bodybuiling.com stated that it is taking all precautionary measures that are necessary to deal with the situation and avoid the repeated attack in the future. The company claims that it has informed the law enforcement agencies about this incident and is also cooperating with highly-experienced specialists to spot any other flaws possible and avoid harm:
Upon discovering the incident, we took steps to understand the nature and scope of the issue, and brought in external forensic consultants that specialize in cyber-attacks. We have engaged with law enforcement and are working with leading security experts to address any vulnerabilities and remediate the incident.
Additionally, the online store is warning users about phishing emails that might come to all users' inboxes, as it is highly publicized in the media, and crooks are quick to utilize such an incident. For example, before the GDPR data protection law was implemented, bad actors used the fact to make users click on malicious links or give away their sensitive information.