Last year, credit card data was stolen from online stores hosted by eCommerce software, hosting and support company Volusion. Now, that data has appeared for sale on the dark web, according to reports.
Hackers breached Volusion servers and inserted malicious JavaScript code, which made its way onto customer store websites, where it recorded payment card details when they were entered into checkout forms.
The hack was discovered in October, but researchers say the actual breach happened a month earlier, in September. The code was found in 6,589 stores, but was originally thought to have affected 20,000 stores.
The stolen card data was uploaded about one month later, on a dark web hacking forum, and it’s been for sale since then.
Researchers think the hackers may have gotten access to almost 20 million payment card details, but they’ve tracked about 239,000 Card Not Present records back to the source. It’s estimated that the hackers made about $1.6 million in revenue from the stolen card data.
The hack is thought to be perpetrated by a hacking group called FIN6, who are allegedly involved with other big breaches, like British Airways and Newegg.
Hacks like the Volusion one are becoming more and more common, and don’t just affect servers. Government websites and banking sites are also common targets.
Earlier this year, all four of Greece’s main banks were forced to enact security protocols after a data breach, and 15,000 consumer cards were canceled.
Consumer information was compromised on a tourist website and Alpha Bank, Piraeus Bank, Eurobank and the National Bank of Greece were all forced to cancel cards.
The banks acknowledged the hack in a joint statement, and said that a small number of users had been falsely charged.
The banks are conducting an investigation into the matter to see how it happened, and that’s expected to be completed this month.