- Online spices marketplace ‘Savory Spice’ has had a nasty Magecart infection that spanned over three years.
- During that period, customers who bought products from the site had their names and full card details stolen.
- The actors may have used these details to purchase items online or may have sold them to others on the dark web.
‘Savory Spice’, the Denver-based online spices marketplace that ships across the United States is now circulating notices of a data breach to its customers, informing them of a dire security incident. As detailed in the letter, someone has gained access to the company’s computer network on April 5, 2018, and maintained their malicious presence until March 27, 2021. Weirdly, even though the notice mentions October 8, 2020, as the date of realizing the intrusion, the investigations took until July 14, 2021, to complete, leaving the actors free to continue their data-scraping operation in the meantime.
The information that was stolen by the hackers includes customer first and last names, credit and debit card numbers, expiration dates, and even the security code. This means that the hackers have got everything they needed to use these cards to purchase items or services on online platforms as if they belonged to them.
The type of data and the duration of the compromise sounds like a Magecart attack with skimmers having been planted onto the checkout page of the ‘Savory Spice’ website. Even if the IT team of the firm realized the problem in October 2020 and tried to clean up the code, subsequent re-infections may have reintroduced the skimmers on the site.
If you have bought anything from the particular marketplace between the aforementioned dates you should keep a close eye on your credit report and bank account statements, and report any charges you don’t recognize to your card issuer. Also, even though email addresses and phone numbers weren’t included in this data breach, phishing actors could find them by searching your name on previously exposed data sets, so you should remain wary of incoming communications of all kinds.
For more information about how this incident affects you personally, you may call 1-855-654-0862 and address your concerns to a representative. Unfortunately, the small company wasn’t in a position to offer identity theft protection services to its clients, so placing a fraud alert or a security freeze on your credit file may be a solid step in protecting yourself now.