- 30 million credit cards that were stolen from Wawa’s POS systems are for sale on the dark web.
- The cards are offered with numbers, expiration dates, cardholder names, and even the CVV2 numbers.
- Individuals in risk are urged to sign up for Wawa’s identity theft protection and card monitoring program.
A brand new massive credit card dump named “BIGBADABOOM-III” is for sale on the notorious darknet marketplace Joker’s Stash. The seller claims that this is the biggest breach of the last five years, and considering the numbers, it definitely looks like it is. The dump contains 30 million “perfect pure” cards, which means that they have not been compromised before, belonging to a worldwide audience (more than a hundred countries). The largest portion of the dump concerns residents of 40 US states, and the promised validity ranges between 90% and 95%.
According to Gemini Advisory, who is an expert in the field, the card data that is for sale belongs to Wawa, a convenience store, fast food, and gas station chain, which operates 842 locations in the US. Back in December 2019, the company disclosed a POS malware infection incident that resulted in the compromise of millions of cards of its customers. The malware was found to be present on the majority payment processing systems of the chain, and the investigation found evidence of its presence since March 2019. The POS malware collected numbers, cardholder names, and expiration dates, so PINs and CVV2 numbers were supposedly not exfiltrated. However, the first data samples come with CVV2 info, so Wawa’s initial claims may have been false.
Now that the data of 30 million cards are up for sale on the Joker’s Stash, Wawa reminds the holders that they won’t be responsible for any fraudulent charges and that they should promptly notify their card issuer when suspicious activity is evident. Moreover, the company has set up a dedicated toll-free call center to support people who are at risk of identity theft and to help them monitor their credit card activity. To sign up for this program, call “1-844-386-9556” and follow the instructions.
As for the dark web sale, the cost of each US card is $17 on average, while international cards are sold for a whopping $210 each. Gemini commented that Joker’s Stash has the tactic of waiting for the breaches to hit the news before offering the associated dumps for sale on the marketplace. This is to increase the value of the data, as the dumps become more credible thanks to the publicity. The sale has started on Monday, so if you have bought something from Wawa between March and December 2019, you should closely monitor your credit activity for the next couple of months.