Lifting weights might build strength for the body, but for customers of Bodybuilding.com, bulking up wasn’t enough to stop hackers from stealing their personal data. According to a security notice issued by the popular online fitness store, Bodybuilding.com recently experienced a security incident that may have affected customer information.
“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” according to the statement.
“On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.”
In the aftermath of discovering the incident, the company contacted law enforcement and brought in external forensic investigators. Additionally, the notice to customers said that the company will be forcing a password reset upon the next login for all of its customers.
The company does not store full credit or debit card information, but customers do have the option of storing card information in their accounts. In those cases, Bodybuilding.com only stores the last four digits of the card, and according to the statement, it never stores the full card number.
“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the company said, adding that much of the information in the BodySpace profile is already public.
“We’re never out of danger from a data breach of our personal information and passwords, as the Bodybuilding.com incident reminds us. Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures,” said Oscar Tovar, vulnerability verification specialist, WhiteHat Security.
“Since Bodybuilding.com’s breach was a phishing attack, this showcases the importance of ongoing security training for employees. Organizations’ people continue to be the single largest threat vector for successful breaches. In addition, this paints a large target on an organization making them an easy target for hackers, who can exploit them and gain access to sensitive information. Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern.”