[BreachExchange] Bodybuilding.com discloses security breach

Inga Goddijn inga at riskbasedsecurity.com
Tue Apr 23 09:33:42 EDT 2019


https://www.zdnet.com/article/bodybuilding-com-discloses-security-breach/

Bodybuilding.com, the internet's biggest online store and online forum for
fitness and bodybuilding enthusiasts, has disclosed last week a security
breach that impacted its IT systems.



Customer data might have been exposed, the company said in a short message
<https://www.bodybuilding.com/help?notifications&data-incident> posted on
its website. Its staff isn't sure if the attacker accessed customer data,
though.

A third-party security firm was hired to help with the investigation, but
forensics experts couldn't confirm that customer data was stolen from
Bodybuilding.com's servers, either.

Bodybuilding.com said investigators traced the unauthorized activity to a
phishing email its staff received in July 2018. At least one employee
appears to have fallen for this email.

Hackers used the data they obtained from this phishing email to access the
company's network in February 2019. Bodybuilding.com didn't say when it
detected the intrusion, but it said it finished its investigation on April
12. It went public with the security breach a week later, on April 19.

Despite not knowing if hackers accessed customer data, Bodybuilding.com
decided to do the right thing and notify all of its customers of the
security incident, as a precaution.

It also reset all users' passwords as well, to prevent any abuse in case
attackers did manage to steal any data.

According to the company, if hackers did manage to access and steal
customer data, possibly exposed details will include name, email address,
billing/shipping addresses, phone number, order history, any communications
with Bodybuilding.com, birthdate, and any information included in BodySpace
profiles.

Social Security numbers and payment card details were not exposed, the
company said, as the site never collected this information in the first
place.

Besides notifying users of the breach, Bodybuilding.com is also alerting
users that scammers might also try to imitate its data breach disclosure
notifications for online fraud or phishing attacks.

Please note that the email from Bodybuilding.com does not ask you to click
on any links or contain attachments and does not request your personal
data. If the email you received about this issue prompts you to click on a
link, suggests you download an attachment, or asks you for information, the
email was not sent by Bodybuilding.com and may be an attempt to steal your
personal data. Avoid clicking on links or downloading attachments from such
suspicious emails. Any link included in our email to users directs users to
insert the Bodybuilding.com FAQs URL into your browser and does not request
your personal data.

Bodybuilding.com is one of the internet's most visited sites, currently
#1,657 on the Alexa website ranking. The site has over seven million
registered users on its forum, and its website receives over 30 million
visitors per month. The last time the site dealt with a major security
issue was in 2008
<https://forum.bodybuilding.com/showthread.php?t=106793071>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190423/1f60477f/attachment.html>


More information about the BreachExchange mailing list