Eggfree Cake Box has disclosed a data breach after threat actors hacked their website to stole credit card numbers.
Cake Box is a UK chain of stores selling fresh cream celebration cakes made without eggs. There are currently 164 Cake Box stores located throughout the United Kingdom.
In emails sent to customers this week, Cake Box disclosed that their website was hacked in 2020 to include malicious scripts that stole customer information, including credit cards, submitted to the site.
Part of the Cake Box data breach notificationSource: Twitter
Cake Box learned of the breach on April 27th, 2020, when they were contacted by their then-payment processing provider, Global Payments, who warned them that the site was breached.
"We immediately launched a thorough investigation of our systems in response and, with the help of experienced third-party security specialists, determined that an unauthorised third party had indeed recently gained access to the Cake Box website and placed certain malware on it", disclosed Cake Box in a data breach notification sent to customers.
"Using this malware, the third party was able to copy certain information provided by our customers when making purchases from our website. We were then subsequently made aware that, in certain instances, this information has been used to make fraudulent purchases."
When customers made purchases on the site while it was infected, these malicious scripts sent the first name and surname, email address, postal address, and payment card information, including the three-digit CVV code, to a remote server controlled by the attackers.
Likely a MageCart attack
Based on the description, this breach appears to be a MageCart attack.
MageCart ..
Support the originator by clicking the read the rest link below.
