Industry News

Bodybuilders beware! One of the world’s largest online fitness stores hit by security breach

Fitness fanatics are being advised to change their passwords after one of the world’s largest and most popular online fitness stores admitted that it had suffered a security breach that might have exposed customer data.

Bodybuilding.com says that it first suspected it might have a problem in February 2019 when it hired independent security experts to investigate whether hackers might have gained unauthorised access to its IT systems.

According to a statement issued by the website , those investigators uncovered that Bodybuilding.com had actually been breached as far back as July 2018 when staff had been targeted by a phishing email.

That duped worker, it appears, accidentally provided enough information to allow external hackers to break their way into the company’s infrastructure.

We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.

Information which may have been accessed by the hackers include customers’ names, email addresses, billing and shipping addresses, phone numbers, order history, any communications with Bodybuilding.com, dates of birth, and other data included in BodySpace profiles.

Fortunately, Bodybuilding.com does not store full payment card numbers when customers make purchases in its online store.

Although the site says it has seen no evidence that stolen personal information has been abused you do have to ask yourself how they would possibly know if such data had been exploited by criminals and fraudsters.

With the apparent loss of personal information and contact details, Bodybuilding.com has sensibly warned users to be wary of any emails purporting to come from the site which ask recipients to click on links or contain attachments, or that request personal data.

The site says that it is taking steps to harden security to prevent unauthorised accessed to user information, and is also requiring users of Bodybuilding.com to change their passwords immediately.

Clearly it also makes sense to also change passwords on other websites, if you happened to be using the same password. For years security professionals have been urging internet users to choose different passwords for different websites, as it’s so common for attackers to use a password exposed in one security breach to unlock other online accounts beloning to the same victim.

It should go without saying by now that a good password manager can help you generate complex, unique passwords and store it securely for you.

Also, always remember to enable two-factor authentication for additional security wherever possible. After all, it’s likely that some additional levels of authentication might have prevented the hackers from gaining access to Bodybuilding.com’s network.

Bodybuilding.com says that the outside security experts it called in to investigate the breach has helped it address vulnerabilities, and remediate the incident.

The site claims to receive 35 million unique visitors per month, and has over 9 million members in its Bodyspace community.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.