Fitness fanatics are being advised to change their passwords after one of the world’s largest and most popular online fitness stores admitted that it had suffered a security breach that might have exposed customer data.
Bodybuilding.com says that it first suspected it might have a problem in February 2019 when it hired independent security experts to investigate whether hackers might have gained unauthorised access to its IT systems.
According to a statement issued by the website , those investigators uncovered that Bodybuilding.com had actually been breached as far back as July 2018 when staff had been targeted by a phishing email.
That duped worker, it appears, accidentally provided enough information to allow external hackers to break their way into the company’s infrastructure.
We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.
Information which may have been accessed by the hackers include customers’ names, email addresses, billing and shipping addresses, phone numbers, order history, any communications with Bodybuilding.com, dates of birth, and other data included in BodySpace profiles.
Fortunately, Bodybuilding.com does not store full payment card numbers when customers make purchases in its online store.
Although the site says it has seen no evidence that stolen personal information has been abused you do have to ask yourself how they would possibly know if such data had been exploited by criminals and fraudsters.
With the apparent loss of personal information and contact details, Bodybuilding.com has sensibly warned users to be wary of any emails purporting to come from the site which ask recipients to click on links or contain attachments, or that request personal data.
The site says that it is taking steps to harden security to prevent unauthorised accessed to user information, and is also requiring users of Bodybuilding.com to change their passwords immediately.
Clearly it also makes sense to also change passwords on other websites, if you happened to be using the same password. For years security professionals have been urging internet users to choose different passwords for different websites, as it’s so common for attackers to use a password exposed in one security breach to unlock other online accounts beloning to the same victim.
It should go without saying by now that a good password manager can help you generate complex, unique passwords and store it securely for you.
Also, always remember to enable two-factor authentication for additional security wherever possible. After all, it’s likely that some additional levels of authentication might have prevented the hackers from gaining access to Bodybuilding.com’s network.
Bodybuilding.com says that the outside security experts it called in to investigate the breach has helped it address vulnerabilities, and remediate the incident.
The site claims to receive 35 million unique visitors per month, and has over 9 million members in its Bodyspace community.