The largest online retailer and forum for bodybuilders, Bodybuilding.com revealed recently that an intrusion into its IT infrastructures had left customer data vulnerable. The company broke the news via a short statement on its website.
It is not yet known whether hackers actually accessed the data available, but an investigation led by a third-party security firm is now underway to gain more insight into what went on. The probe will also establish how weak spots in the firm’s cyber-security can be shored up.
Engineers working for the company have been unable to confirm whether customer data was stolen from servers used by Bodybuilding.com.
Specialists at the forefront of the investigations tracked unauthorised activity back to a phishing email sent to workers at the firm in the summer of last year. It is believed that the email was followed up by at least one member of staff, and that this provided hackers with the details they needed to access Bodybuilding.com networks in February of this year.
The company has not revealed when it first discovered the suspicious activity, but says that initial investigations were concluded by 12th April, and that the intrusion was announced to the public seven days later on April 19th.
Bodybuilding.com has been praised for its action in response to the breach, with experts saying that company chiefs took the right decision to notify customers of the incident as a precaution. User passwords were reset to mitigate risk of the damage spreading.
Had hackers stolen details from the company servers, Bodybuilding.com says that customer data exposed would comprise names, email addresses, payment details, phone numbers and purchase histories, together with further personal information associated with user profiles.
The company also made efforts to spread awareness about the dangers of phishing scams, even within its own campaign to notify the public of the initial breach, stating:
“Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data.
“If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data.
“Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to insert the Bodybuilding.com FAQs URL into your browser and does not request your personal data.”
Article originally published by GDPR:Report.