[BreachExchange] Topps Security Breach May Have Exposed Customer Information

Destry Winant destry at riskbasedsecurity.com
Mon Mar 4 09:08:52 EST 2019


Topps has announced a security breach that may have impacted customers
who used the company’s website from November 19-January 9, 2019.

Topps filed a data brief notification late last week. They’re telling
customers they became aware of possible unauthorized access on
December 26 and launched an investigation with help from an external
security firm.

On January 10, they confirmed hackers may have had access to or
acquired payment card and other information from customers who placed
orders on Topps.com during that 51-day period.  It’s believed those
who paid with Paypal were not affected by the breach.

“While we cannot confirm whether your personal information was
accessed or acquired, the investigation confirmed that this was
possible during the relevant time period,” Topps stated in its

“ It is possible that this incident compromised names, mailing
addresses, telephone numbers, e-mail addresses, and payment
information (including credit/ debit number, card expiration date, and
security code) for customers who completed a purchase through the
Topps website between November 19, 2018 and January 9, 2019.”

According to BleepingComputer.com, a malicious script known as a
MageCart attack was inserted into the company’s website using
Javascript.  That script would then capture payment information,
sending it to a remote site where it could be collected by the

Topps is telling customers to review card statements to look for any
suspicious or unauthorized activity. They’re also suggesting customers
who made a purchase using a payment card to contact credit reporting
agencies to place a fraud alert on their credit files.

Topps was hit with a similar attack in late 2016.

Topps says it has been working with a security firm “to implement
measures to strengthen the security of our systems and help prevent a
similar incident from happening again.”  They say they have “upgraded
the Topps.com website platform.”

More information about the BreachExchange mailing list