TrueFire, a leading online guitar-tutoring platform, has suffered a “Magecart-style” security incident that may have exposed customers’ personal identifiable information and credit card numbers.
The data breach was discovered on January 10, when the company noticed that an unauthorized individual had gained access to their systems, “more specifically, to information that consumers had entered through the website,” reads the Notice of Data Breach.
Although TrueFire said it doesn’t store any credit card information directly on its website, the letter confirms “the unauthorized person gained access to the Website and could have accessed the data of consumers who made payment card purchases, while that data was being entered, between August 3, 2019 and January 14, 2020.”
The technical details behind the incident are yet to be revealed. However, it is clear that the threat actor had access to the platform’s systems for six months period and could have captured, in real time, names, addresses, credit card numbers, expiry dates and CVV codes of unsuspecting shoppers.
Security researchers speculate that the attack may have involved malicious credit card-skimming malware that sniffs out credit card and personal information while it is being entered on a website. This dangerous type of malware could fill the cyber criminals’ pockets, as CC information and other identifiable data is highly sought after on the dark web markets.
What should you do?
While TrueFire states it is continuously monitoring activity on Trufire.com and working alongside cybersecurity forensics experts to “ensure that the intrusion remains contained,” users are advised to keep an eye out form suspicious activity on credit and debit card statements.
The company also recommends reviewing information regarding identity theft protection services (enclosed alongside the notification sent to affected customers), and report any fraudulent transactions to the financial institution or credit card company.
At first glance, an online guitar lesson website may not seem like a very attractive victim for threat actors. But keep in mind that no company, service provider or website can be 100% bullet proof. Cashing out is the number one priority on the bad actor’s agenda. In this case, the stolen credit card information may have an immediate reward, but any piece of personal identifiable information you provide online can be valuable.
Due to the recent developments that have affected most of the world’s population, you might have let down your guard. Try to watch out, though, and keep tabs on your online activity, wherever your browsing patterns may take you.