[BreachExchange] AeroGarden maker says hacker stole months of credit card data

Destry Winant destry at riskbasedsecurity.com
Tue Apr 9 02:01:06 EDT 2019


https://techcrunch.com/2019/04/05/aerogarden-credit-card-breach/

Bad news for home gardeners: criminals might have your credit card data.

AeroGrow, the maker of the at-home garden kit AeroGarden, said in a
letter to customers that its website had credit card scraping malware
for more than four months.

The company said anyone who bought something through its website
between October 29, 2018 and March 4, 2019 had their credit card
number, expiration date and card verification value — also known as a
security code — stolen by the malware. In most cases, that’s all
someone would need to make fraudulent purchases,

It’s the latest in a string of high-profile malware attacks targeting
websites in the past year. Attackers often will find a vulnerability
in the website running a company’s shopping cart and inject code that
scrapes credit card data once it is entered into the form on the site.
That data gets siphoned off and sent to a server controlled by the
attacker. Because the code is running on the page, there’s no
discernible or obvious way to tell if a website is affected.

One of the more well-known hacker groups includes Magecart, a
collective of different hackers of varying skill sets, which attack
websites large and small. In the past year, the hacker groups have
targeted Ticketmaster, British Airways and consumer electronics giant
Newegg — and many more.

AeroGrow didn’t say how many customers were affected. We’ve reached
out and will update if we hear back.


More information about the BreachExchange mailing list