Online retailer Newegg has been the victim of a one-month data leak, with the payment details of thousands of customers who may have been obtained by hackers, by adding code to the store's payment page in the same way as other recent attacks.
The infringement, discovered and verified by security company Volexity in collaboration with RiskIQ, appears to have been executed since 14 August and ran until 18 September, reports TechCrunch. The attack, which injected only 15 lines of code into the payment page, allowed credit card information to be smashed and stored on a private server during the checkout process.
Newegg CEO Danny Lee advised customers in an e-mail that the company has not yet identified which accounts have been affected, with the scale of the attack largely unknown. As a large retail company with 2.65 billion in revenue in 2016 and with more than 45 million monthly unique visitors, the number of affected customers shopping at Newegg during the period could be quite high.
The attack hit both desktop and mobile versions of the Newegg site, but it is unclear whether mobile users were affected by the infringement at all.
According to RiskIQ, the attack is a continuation of a series of compromises known as "Magecart" and which has hit a number of large companies. Analysis of the attack reveals that it is similar to the attacks on the British Airways and Ticketmaster reservation system, targeting each reservation and payment system by collecting the data before it reaches the company's servers, instead of directly connecting the servers to fall.
The relative ease and duration of the violation may certainly suggest that future attacks of this type may continue for a while, and with a wide variety of available targets.
"Newegg's violation shows the actual size of the Magecart operators' range," advised Jonathan Klijnsma of RiskIQ. "These attacks are not limited to certain geolocations or specific industries – any organization that processes online payments is a target."