Credit card info of 1.8 million people stolen from sports gear sites

Credit cards

Four affiliated online sports gear sites have disclosed a cyberattack where threat actors stole credit cards for 1,813,224 customers.

While not much is known about the attack, a law firm representing the four websites stated that personal information and credit card information, including full CVV, were stolen on October 1st, 2021.

The affected websites are the following:

The sites first learned of the breach on October 15th, and after an investigation, confirmed on November 29th the customers that had their payment information stolen.

The details that have been compromised as a result of this incident are the following:

  • Full name
  • Financial account number
  • Credit card number (with CVV)
  • Debit card number (with CVV)
  • Website account password

After the conclusion of the investigation, the websites sent notices to the affected individuals on December 16th, 2021.

None of the published notices to impacted customers provide any details on the nature of the incident, so the actual means of obtaining the data remains unknown.

However, as the description states, “External system breach (hacking),” this appears close to be a database breach rather than the implantation of card skimmers on the websites, although both scenarios are likely.

Whatever the case is, if you have purchased anything from these four websites, you should treat incoming communications with vigilance, monitor your bank account and credit card statements, and report any suspicious transactions immediately.

“Upon becoming aware of the incident, Tackle Warehouse took the measures referenced above. We also reported the incident to the payment card brands in an attempt to prevent fraudulent activity on the affected accounts,” reads Tackle’s notification letter to customers.

“We also reported the incident to law enforcement and have worked closely with the digital forensics firm to enhance the security of our sites to facilitate safe and secure transactions.”

Unfortunately, the affected customers have not been offered an identity protection service this time, even though the compromised data is extremely sensitive information.

We have reached out to all the affected entities to learn more about the attack, and we will update this post as soon as we receive a response.