‘Hanna Andersson’ Hacked and Customer Credit Card Details Stolen

Written by Bill Toulas
Last updated June 23, 2021

‘Hanna Andersson’, the popular children’s apparel maker from Portland, US, has been hit by Magecart actors. The retail company operates both physical stores and online shops, so this event concerns the latter. Apparently, malicious actors managed to plant their card skimming code in the Hanna Andersson payment page, and nobody figured it out until after two months had passed. This means that everyone who bought something from the particular online store between September and November may have had their payment data stolen by hackers. Most of these customers have already received the below notification.

In this message, Hanna Andersson claims that the law enforcement informed them that several of the same credit cards that were used on its websites were already offered for purchase on the dark web. This resulted in the launching of an investigation that led to the location of the card skimming code. The JavaScript snippet was found in the Salesforce Commerce Cloud that is used by the platform to help customers go through the purchase process. According to the report, the first sign of magecart activity was traced back to September 16, 2019, while the malware was removed on November 11, 2019.

Hanna Andersson clarifies that not everyone who has made a purchase within this period is surely compromised. However, they have not managed to determine the actual number of people who have been impacted by the incident. As for what type of data was leaked, this includes the customer names, the shipping address, billing address, credit/debit card number, the CVV code, and the expiration date. Unfortunately, since the CVV code is included, actors may proceed to the ultimate exploitation step right away, which would be to use the stolen cards to buy stuff online. Thus, all Hanna Andersson customers are advised to monitor their credit card activity and report any suspicious activity to their card issuer.

Around the same period, between November 19 and 27, 2019, another retailer (Sweaty Betty) which was using the Salesforce Commerce Cloud platform was infected by magecart code. Security expert Jérôme Segura believes that this could be due to a vulnerability in the CMS. Right now, the particular product is used by more than 2800 websites, so the existence of a vulnerability that enables malicious actors to inject their card skimming code is a dire possibility.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: