‘FabFitFun’ Subscribers Have Had Their ‘PayPal’ and ‘Apple Pay’ Credentials Stolen

• FabFitFun suffered a nasty Magecart skimmer infection, and then a reinfection.
• The hackers stole emails, credit card numbers, CVV codes, names, and PayPal passwords.
• The platform is now covering the cost of identity theft services and is also giving away $25 coupons.

‘FabFitFun’ is circulating notices of a breach to an undisclosed number of customers, warning them about a security incident that may involve sensitive personal information. FabFitFun is a membership-based service where people register, pay a fee, and get boxes of products shipped to their addresses.

Boxes are fun because they involve the surprise element and also contain various things to try out. When the service’s payment page is infected with card skimmers, though, the fun factor is taken out of the equation.

According to the notices, this is precisely what happened to the FabFitFun website, with the actors managing to steal whatever information the visitors entered on the forms. That would include emails and passwords for PayPal or Apple Pay, names, addresses, payment card account numbers, card expiration dates, and card verification codes. So, depending on how you paid for the FabFitFun boxes, a different set of information has been exposed to the actors, but the data is highly sensitive in all cases.

There are two distinct periods of exposure, one between April 26, 2020, and May 14, 2020, and a second one between May 22, 2020, and August 3, 2020. During these periods, the skimmers were active on the site, so if you happened to enter anything between these dates, your information has most probably been exfiltrated by them.

This reinfection is typical of Magecart actors, and also an indication that FabFitFun has failed to plug the hole that the hackers exploited the first time. However, malicious actors may not be the same in both cases. The victimized company has reported the incident to the law enforcement authorities, and they are now working with IT forensic experts to help them identify the points where they can further strengthen their security.

The exposed individuals will be offered one year of identity theft protection and credit monitoring services for free, while the registration deadline was set to December 31, 2020. Additionally, all notice recipients will also get a $25 credit that can be used on the platform until the end of the year.

In the meantime, you should reset your account passwords on FabFitFun and also on PayPal and Apple Pay. Doing this immediately is crucial, as the Magecart actors have had your password in their hands for a long time already. Finally, credential stuffing attacks are also on the rise, so if you were using the same password elsewhere, go ahead and reset it now.

Read More:

• The ‘Warner Music Group’ Announced a Credit Card Data Breach
• How Skimming Crooks Abuse Telegram API to Exfiltrate Card Data
• North Korean Hackers Planted Card Skimmers on Shopping Websites