Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Newegg card skimming hack stole customer payment details for over a month

Online retailer Newegg has become the victim of a month-long data breach, with the payment details of thousands of customers potentially acquired by hackers, by adding code to the store's payments page in a similar manner to other recent attacks.

The breach, discovered and verified by security firm Volexity in collaboration with RiskIQ, appears to have been in operation since August 14 and ran until September 18, reports TechCrunch. The attack, which injected just 15 lines of code into the payments page, allowed for credit card information to be skimmed and stored on a private server during the checkout process.

The attackers created a website with a similar name to Newegg's store, titled in such a way as to avoid suspicion, and was even issued its own HTTPS certificate. When alerted, Newegg removed the JavaScript from the site and started to alert customers.

Newegg chief executive Danny Lee advised to customers in an email the company has not yet determined which accounts were affected, with the size of the attack largely unknown. As a major retailer earning 2.65 billion in revenue in 2016 and having more than 45 million monthly unique visitors, the number of affected customers who shopped at Newegg during the period could be quite high.

The attack hit both desktop and mobile versions of the Newegg site, but it is unclear if mobile users were affected by the breach at all.

According to RiskIQ, the attack is a continuation of a string of compromises known as "Magecart," which has impacted a number of major businesses. Analysis of the attack reveals it to be similar to those hitting British Airways' booking system and Ticketmaster, with each targeting booking and payment systems by acquiring the data before it reaches the company's servers, rather than attacking the servers directly.

The similarity of the code between the British Airways and Newegg attacks suggest it to be from the same code base, and possibly from the same hackers. Few elements were changed in the code, but the length of the JavaScript code was shorter in Newegg's version due to only needing to serialize one form, rather than the multiple forms used by the airline.

The relative ease and length of time the breach can exist for certainly suggests future attacks of this type could stick around for some time, and with a wide variety of available targets.

"The breach of Newegg shows the true extent of Magecart operators' reach," advised RiskIQ's Jonathan Klijnsma. "These attacks are not confined to certain geolocations or specific industries - any organization that processes payments online is a target."



6 Comments

GeorgeBMac 8 Years · 11421 comments

Another reason to use ApplePay.
But weirdly, I have friends who don't trust ApplePay and keep putting their credit cards out there...

magman1979 11 Years · 1301 comments

Another reason to use ApplePay.

But weirdly, I have friends who don't trust ApplePay and keep putting their credit cards out there...

Those friends belong to the "Can't teach an old dog new tricks" with that mentality... I know a few myself, and I argue with them constantly, cause they're the ones who don't even use chip cards (swipe), and have no passcodes on their smartphones *SMH*

nunzy 6 Years · 662 comments

This is one reason among many to only buy direct from Apple. The other is that way, Apple doesn't hhave to share any money with third parties. They get it all.

jbdragon 10 Years · 2312 comments

Another reason to use ApplePay.

But weirdly, I have friends who don't trust ApplePay and keep putting their credit cards out there...
Those friends belong to the "Can't teach an old dog new tricks" with that mentality... I know a few myself, and I argue with them constantly, cause they're the ones who don't even use chip cards (swipe), and have no passcodes on their smartphones *SMH*

Having had fraud on my Credit cards 2 years in a row. Luckily it was stopped by Wells Fargo Fraud Department. I know the last time, it was some order in Canada for some Pills. It's been a few years, just before Apple Pay first came out. I have no idea how they get my Credit Card info. But I use Apple Pay anywhere and everywhere I can these days, if I can't use that, my second option is PayPal. Because again, I'm not giving out my Credit Card info. But if you use Paypal, Do NOT give out your Bank Checking account number so they can get your money directly that way. You have very little protection that way. Use your Credit Card ONLY!!! At most you're liable for $50 with a credit card. I've never even paid that. So in general it's ZERO. Even a Debit card is not as good protection wise as a Credit Card.

So NO ACH Transactions!!! (Automated Clearing House) This is how they take money directly out of your Checking Account. They ask you to enter the numbers of the bottom of your Check. Don't do it!!! PayPal could screw you over that way.

These places keep getting hacked and getting our Credit Card Numbers. it's these BIG Company's that actually hold onto Credit Card numbers!!! They're the ones that keep getting hacked and Millions of people's credit cards number sold to others. Small Mom and Pop places, you run the card in the small terminal and the transaction is done. They are not storing your Credit Card Data. If you go to a restaurant and hand your card over to someone and it leave your site, well they can easily get all the info right off the front and back of it i seconds. So it would be a bad employee in that case, not the business.

applehead 13 Years · 4 comments

I always use Apple Pay with Newegg.