BreachExchange mailing list archives
Improperly-configured shopping cart on compromised server reveals CC#s to hackers in Viet Nam
From: Chris Walsh <cwalsh () cwalsh org>
Date: Tue, 4 Apr 2006 19:59:24 -0500
From http://roadracingworld.com/news/article/?article=25398 Internet Security Breach Affects STT Track Day Customers Apr 04, 2006 Copyright 2006, Roadracing World Publishing, Inc. An Internet security breach has led to credit card information belonging to Sportbike Track Time customers falling into the hands of criminals and some fraudulent charges being made on those cards. According to a Sportbike Track Time spokesman, security improvements have been made to the company's website, www.sportbiketracktime.com . Beginning March 23, 2006, several entries began appearing on Sportbike Track Time’s online forum (http://www.sttforum.com/sttforum/ viewtopic.php?t=272) discussing unauthorized online purchases made with the credit cards and debit cards of Sportbike Track Time participants who had registered at www.sportbiketracktime.com . As the number of instances grew, it became clear Sportbike Track Time had a problem. The source of the problem was vulnerability in the “shopping cart” software provided by VP-ASP (a software company specializing in e- commerce solutions) to Sportbiketracktime.com, according to Monte Lutz, co-owner of Sportbike Track Time . “Some enterprising hackers from Vietnam took over -- and I’m not a computer guy -- a Utah company’s ISP and their servers and used that to hack into, simultaneously, several of the VP(-ASP)-driven sites. And we were one of them,” Lutz told Roadracingworld.com Tuesday. “It was only a very short window. It was only 24 hours that the hackers had access to it, but you can take a lot of stuff in 24 hours. It was March 19. Anybody who signed up (for a Sportbike Track Time event) this year before March 20 was potentially affected.” Another part of the problem was that Sportbike Track Time customers’ credit card information was being stored within the “shopping cart” system. “We no longer store any data within the system,” said Lutz. “We have no reason to keep that information. We do not store your credit card numbers. I do not want that responsibility. And the system was supposed to do it that way, but VP(-ASP) didn’t set it up that way in the first place.” [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Improperly-configured shopping cart on compromised server reveals CC#s to hackers in Viet Nam Chris Walsh (Apr 04)