Eggfree Cake Box has revealed a data breach after threat actors hacked into its website to steal credit card numbers.
Cake Box is a UK chain of stores that sells fresh cream celebration cakes made without eggs. There are currently 164 Cake Box stores located across the UK.
In emails sent to customers this week, Cake Box revealed that its website was hacked in 2020 to include malicious scripts that stole customer information, including credit cards, sent to the site.
Cake Box learned of the breach on April 27, 2020, when they were contacted by their payment processing provider, Global Payments, who warned them that the site had been breached.
“We immediately launched a thorough investigation of our systems in response and, with the help of experienced third-party security specialists, we determined that an unauthorized third party had recently gained access to the Cake Box website and placed certain malware on it.” revealed Cake Box in a data breach notification sent to customers.
“With this malware, the third party was able to copy certain information provided by our customers when making purchases from our website. Later, we learned that, in certain cases, this information has been used to make fraudulent purchases.”
When customers made purchases on the site while it was infected, these malicious scripts sent first and last name, email address, postal address, and payment card information, including the three-digit CVV code, to a server. remote controlled by attackers.
Probably a MageCart attack
Based on the description, this violation appears to be a MageCart attack.
MageCart attacks occur when threat actors hack into an e-commerce site and add malicious scripts to your payment confirmation pages.
These scripts will monitor the payment pages and, if credit card information is sent on the page, they will transmit the data to a remote site under the attacker’s control.
The attackers can then log into their servers and retrieve the stolen credit card information to sell on the dark web or conduct fraudulent transactions.
If you are a Cake Box customer and have received notifications about the data breach, you should analyze your current and past transactions and make sure there are no fraudulent charges.