European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.
Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.
It’s not yet clear how many of Vision Direct’s customers are affected — we’ve reached out to the company with questions.
Detailing the data theft in a post on its website Vision Direct writes that customer data was compromised between 12.11am GMT November 3, 2018 and 12.52pm GMT November 8 — with any logged in users who were ordering or updating their information on visionDirect.co.uk in that time window potentially being affected.
It says it has emailed customers to notify them of the data theft.
“This data was compromised when entering data on the website and not from the Vision Direct database,” the company writes on its website. “The breach has been resolved and our website is working normally.”
“We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice,” it adds.
(As an aside, Fintech startup Revolut didn’t hang around waiting for concerned customers to call — blogging today that, on hearing the breach news, it quickly identified 80 of its customers who had been affected. “As a precaution, we immediately contacted all affected customers letting them know that we had cancelled their existing cards and would be sending them a replacement one for free,” it adds.)
Vision Direct says affected payment methods include Visa, Mastercard and Maestro — but not PayPal (although it says PayPal users’ personal data may still have been swiped).
It claims existing personal data previously stored in its database was not affected by the breach — writing that the theft “only impacted new information added or updated on the VisionDirect.co.uk website” (and only during the aforementioned time window).
“All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach,” it adds.
Data appears to have been compromised via a Javascript keylogger running on the Vision Direct website, according to security researcher chatter on Twitter.
After the breach was made public, security researcher Troy Mursch quickly found a fake Google Analytics script had been running on Vision Direct’s UK website:
That's exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analytics[.]com/libs/1.0.16/analytics.js – you can view a copy of the JS via the @urlscanio archive of https://t.co/TV22dxvCcK https://t.co/SFi5Wp4gm3 pic.twitter.com/rY13cMR2TL
— Bad Packets Report (@bad_packets) November 18, 2018
The malicious script also looks to have affected additional Vision Direct domains in Europe; and users of additional ecommerce sites (at least one of which they found still running the fake script)…
It wasn't just UK. Also infected between Nov 3rd and Nov8th:https://t.co/fQy7WsKmfqhttps://t.co/8JUn9frF9vhttps://t.co/WBCPQOIv46https://t.co/DCyaQzuTkMhttps://t.co/pwfBvDWZDzhttps://t.co/q9of3VMPZ5https://t.co/LclCV3VvHYhttps://t.co/Ouge4ebR7vhttps://t.co/85sRXtC50m
— Willem de Groot (@gwillem) November 18, 2018
Additional compromised websites containing the fake Google Analytics (credit card stealing) script can be found via https://t.co/3jKljjDieZ pic.twitter.com/nBdyT8LCWR
— Bad Packets Report (@bad_packets) November 18, 2018
Another security researcher, Willem de Groot, picked up on the scam in September, writing in a blog post then that: “The domain g-analytics.com
is not owned by Google, as opposed to its legitimate google-analytics.com
counterpart. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor.”
He also found the malware had “spread to various websites”, saying its creator had crafted “14 different copies over the course of 3 weeks”, and tailored some versions to include a fake payment popup form “that was built for a specific website”.
“These instances are still harvesting passwords and identities as of today,” de Groot warned about two months before Vision Direct got breached.
— Troy Hunt (@troyhunt) November 18, 2018