This year, more than 200,000 shoppers looking to purchase blinds and window dressings through SelectBlinds may have had their personal and financial information compromised in a data breach. Hackers successfully embedded malware on SelectBlinds’ website, allowing them to harvest sensitive customer information directly from the checkout page.
In breach notification filings submitted in California and Maine, SelectBlinds revealed that employees discovered the malware on September 28, uncovering that it had been active on the site since at least January 7. This lengthy duration of exposure indicates a significant window during which customer data could have been accessed and exfiltrated by attackers.
According to the company, “An unauthorized third party embedded malware on the SelectBlinds website that allowed data scraping on logins on the check-out page.” This malware was able to capture information from users logging in at checkout, potentially impacting anyone who made or considered a purchase on the SelectBlinds website.
Stolen Data and Customer Notifications
The data compromised in the breach includes login credentials, usernames, and passwords, as well as names, email addresses, shipping and billing addresses, phone numbers, and detailed payment card information. The stolen payment data included not only card numbers but also expiration dates and CVV security codes, exposing affected customers to a heightened risk of fraud.
To protect customers, SelectBlinds has taken steps to secure accounts, locking them and prompting users to change their passwords. The company has removed the malware from its website and has issued warnings to customers to change any login credentials reused on other websites to minimize potential further risk.
The Growing Threat of E-Skimming
This breach is a stark reminder of the increasing threat of e-skimming attacks, where hackers insert malicious code into websites to capture sensitive payment data. Known as “e-skimmers,” these attacks target websites that process payments, allowing hackers to siphon credit card information and other personal details in real-time. The stolen data is often packaged and sold on dark web marketplaces to “carding” operations that exploit the information for fraud.
Typically, hackers inject JavaScript code into vulnerable checkout pages, a tactic that has been used repeatedly across various industries. The financial impact of e-skimming can be devastating for consumers, and many companies have faced significant reputational damage as a result of these incidents.
E-Skimming on the Rise: A Broader Look at the Threat Landscape
E-skimming attacks have become increasingly prevalent. Last month, cybersecurity firm Recorded Future reported that around 15 million credit card records were listed for sale on dark web marketplaces. In April, Russian authorities took the unusual step of publicly charging six individuals accused of stealing the details of 160,000 credit cards, which were later sold for illicit purposes. These incidents highlight the global scale of e-skimming operations and the challenges of curbing such activities.
In response to these threats, law enforcement agencies worldwide have been coordinating efforts to protect online consumers. Last year, Europol collaborated with agencies from 17 countries, warning over 400 online retailers that their customers’ payment card data had likely been compromised. Despite these measures, e-skimming continues to grow as a tactic, particularly as online shopping becomes more common.
Moving Forward: How Customers Can Protect Themselves
For those affected by the SelectBlinds breach, immediate action is crucial. Customers are advised to monitor their bank and credit card statements closely for any unauthorized transactions and to update passwords used on other sites. Experts also recommend enabling multi-factor authentication on accounts where possible to add an extra layer of security.
As cybercriminals refine their techniques, consumers should remain vigilant about the security of their online transactions. With e-skimming attacks showing no sign of slowing down, individuals and businesses alike must prioritize cybersecurity to protect against the ongoing threat of data breaches.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
