Wiggle has promised to get back to customers directly regarding an alleged cyber attack on its website.
The online multisport retail giant appears to have fallen victim to a cyber security breach, with a number of its customers reporting that they have received order confirmations for items they didn’t purchase, and the delivery addresses were to locations they didn’t recognise.
@Wiggle_Sport Are you under cyber attack? I’ve received an email to say someone’s changed my account to their email address and I cant access your website.
— hayley badger (@hayleybadger) June 14, 2020
After alerts were first raised on 12 June and there were reportedly no responses from Wiggle on the matter, one customer got in touch with road.cc directly today to claim that a £30 order was made on his account.
In the tweet below, another claimed that an order for a £237.50 Castelli skinsuit was made without his knowledge.
@Wiggle_Sport someone broke into my account and ordered this. I told c ustomer services as it happened but no one has come back to me. pic.twitter.com/ydhe8tDUiU
— Kobi Omenaka (@Kobestarr) June 15, 2020
The tweet below is the first we have seen where Wiggle confirmed it is taking action, saying its account security team is investigating and customers affected will be contacted directly.
@Wiggle_Sport Are you under cyber attack? I’ve received an email to say someone’s changed my account to their email address and I cant access your website.
— hayley badger (@hayleybadger) June 14, 2020
A number of people who say they have been targeted had complained on Wiggle’s social media pages, but in most cases the retailer appears to have just issued brief responses with no further acknowledgement regarding the issue; road.cc has asked Wiggle for a statement.
33 thoughts on “Wiggle investigating suspected cyber attack on customers’ accounts”
This happened to me on 05
This happened to me on 05 June. I saw an email notification pop-up, “Confirmation of your order ###### from Wiggle”. Checked the email straight away, and it was an item I’d not ordered to an address in another country.
Thankfully, since I was using the computer at the time, I instantly cancelled the order, removed my saved card details and changed the account password. I then followed up by contacting Wiggle to say that I thought my account had been compromised. 9 days later and I’ve recieved an email from them as per below:
Are we still under the aegis
Are we still under the aegis of the GDPR regs now? A report to the ICO should have been submitted by now if so.
Yep, and we will be after the
Yep, and we will be after the transition period too
EVERYONE with a wiggle
EVERYONE with a wiggle account should change their password IMMEDIATELY!
I just tried logging in, the first time for 4 or 5 years (I don’t use them any more) and it said that my account “has been locked due to repeated login attempt failures”. I changed my password, of course.
And don’t let them save your card details!
Just changed my password now,
Just changed my password now, though I’m wondering if I should remove my card details. Maybe the crims will spend less than I do.
hawkinspeter wrote:
Yes.
Never allow a site to store your card details if you have the option.
Tbf I hadnt realised with my
Tbf I hadnt realised with my account I actually had,so id add & dont assume you havent stored card details , but fortunately only my own ridiculous spending sprees shows up
I need a Zipp 404 front wheel
I need a Zipp 404 front wheel clincher, just send it to me and charge it to BehindTheBikesheds.
I seem to remember last
I seem to remember last millennium sometime credit card (as opposed to cheque) mailorders and telephone orders could only be sent to the cardholder address. Always seemed a very sensible safeguard to me. I get the convenience of being able to have stuff shipped just anywhwere, but maybe there needs to be some address validation before stuff goes in a different direction to the bill.
The other half has just seen
The other half has just seen his order for the San Remo speed suit and he has had to quickly come up with an excuse. “Oh my account must have been hacked, I wouldn’t spend £237 just to save a couple of watts”
I had my alt account
I had my alt account compromised on the 29th of may. I got a email stating my password had been changed quickly followed by a one time code for my credit card with a purchase for £700. Luckily fraud protection kicked in. Wiggle insisted they had not had a breach. Not so sure now.
They need to make a public
They need to make a public statement and fast. The one thing worse than fucking your security up is fucking it up and then trying to cover it up. I was going to make a three-figure purchase from them. I won’t be now, not until I see evidence it was either isolated incidents or they’ve made changes.
Rule 1. Never store a
Rule 1. Never store a credit card on any online account
Rule 2. Use a different password on every site (get a password manager or use google to manage the passwords)
For now, log on change your passowrd and remove all card details……then we wait to see what Wiggle say!
I remain open to the
I remain open to the possibility that another site has been hacked and credentials obtained which were then used on Wiggle, because people still have this habit of using the same password on multiple sites.
I’m not saying this happened here, but it won’t be the first, or last time it has elsewhere.
…because e-tailers still
…because e-tailers still have this habit of using the same password system they 100% know will lead to such behaviour amongst a good proportion of paying customers.
And yet people still use the
And yet people still use the same passwords. Sorry, what’s your point here?
I think the point is that by
I think the point is that by making the shopping process as easy as possible, e-tailers get more custom. But the cost of this is lower security.
By not requiring strong or unique passwords, and by not requiring any additional verification – even re-entering the CVV – shops make it very easy to click through and complete an order but leave themselves open to this sort of attack.
Online stores make it as easy
Online stores make it as easy as possible for people to place orders, because if the order process is difficult (like having to re-enter card details, 2FA etc) then a lot of people will go somewhere else. People are lazy and like things to be as easy as possible, until something like this happens. And then it’s the retailers fault for not doing more to protect them.
I’m the one who’s been
I’m the one who’s been kicking up a stink about this on Twitter. Wiggle’s response has been absolutely farcical. This has been going on for AT LEAST 10 days and is still happening TODAY. Wiggle still haven’t put out a public message advising people to change their account details, and are still giving canned responses (at best) to enquiries on Twitter.
Seriously, if you’ve not been affected and can still log in – change your password, unlink your card. Wiggle allows transactions to be placed without any extra authorisation and they are continually trying to absolve themselves of blame by telling people it’s their own fault.
Should you use different passwords on different websites? Yes. Should Wiggle store CVVs and allow critical account details to be updated without confirmation from the existing email address on file? Absolutely not.
Merchants are not allowed to
Merchants are not allowed to store CVVs. I’d be very sutprised if Wiggle were doing so.
Ok then: Yes. Should Wiggle
Ok then: Should Wiggle
store CVVs andallow critical account details to be updated without confirmation from the existing email address on file? Absolutely not.But somehow, orders are being placed without any secondary authorisation. There is no 3d-secure or 2FA.
Regardless the technicalities are kind of secondary at this point to the fact they still haven’t informed everyone with an account that they need to change their password.
I’ve just deleted my card
I’ve just deleted my card details from Wiggle so I can’t test this anymore, but I’m pretty sure last time I ordered from Wiggle (using saved card details) I was able to complete the order without entering the CVV – indeed as far as I can remember the only security was logging on to my account (thankfully using a unique password from LastPass).
Isn’t the point of the CVV that you have to enter it each time you make a purchase, thereby demonstrating that you physically have the card and avoiding this very situation?
That might seem sensible but
That might seem sensible but I don’t think that’s how it works. Once a merchant has verified your card once using CVV I don’t think they have to repeat for successive transactions. But if the card number was stolen somehow and used elsewhere that should be foiled by lack of CVV.
I’m surprised merchants don’t validate new/additional delivery addresses different than the cardholder address.
Other retailers (including
Other retailers (including Amazon I think) will store card details and not require CVV to be re-entered when you’re having a delivery sent to an address you’ve used previously. Request delivery to a new address and you have to re-enter the CVV. Seems like a sensible approch. I’ve got a feeling that changing email address also requires you to re-enter CVV next time you make a purchase.
Nothing more than a hunch, and don’t have anything to back it up, but it’s possible that someone has identified that as a weakness with the Wiggle ordering process and, as others have suggested, used details gained from another source (ie not from hacking Wiggle) to exploit it.
OnYerBike wrote:
No. CVV prevents theft of card details using card skimmers – it’s not stored in the magstripe. There’s no requirement for a merchant to ask for CVV at all and card providers do not require it in order to authorise a transaction, hence why the likes of Wiggle can store your card details and allow you to complete purchases without re-entering your CVV.
Wiggle have made the decision that asking for CVV on first use is sufficient to protect them and their customers against fraud. Or they’ve calculated that the resulting fraud costs less than the lost sales resulting from forgetful people having to go and find their physical card every time they want to make an impulse purchase…
Don’t forget that no website forces you to store your card details.
I’m not an expert, but my
I’m not an expert, but my understanding is that, while card skimming is one way to obtain someone’s card details, it’s not the only way. And CVV should provide the same additional protection whether your details were compromised because someone skimmed your card or because someone logged in to your account (or because your card details were obtained in another way).
While no website forces you to store your card details for future purchases, all online shops will store your card details somewhere in their records – and there have been numerous occassions when such websites have been breached and card numbers have been obtained by hackers.
And yes, it does appear that retailers aren’t required to request your CVV each time you make a purchase. Personally, I would think that requiring that small additional step would noticeably increase security with minimal loss of revenue.
As much as Wiggle have
As much as Wiggle have managed to turn this into a complete PR nightmare, People need to understand the importance of their personal data. It would seem at first glance, people are having their accounts accessed using stolen credentials (not stolen from wiggle) freely available on the web. If this is the case wiggle have not been hacked, you have.
Wiggle is in an unenviable position that they need to be sure of what they say and not give wrong information. I suspect they also lack the IT resources to handle this level of investigation internally.
As others have advised please use a password manager, unique passwords and 2 factor auth wherever possable. Too many people only think about this after an incident.
The wider issue is that not enough ecommerce companies are helping thier customers with options for good practice like 2FA or openID. Should any online retailer deserver you custom if they do not help you stay secure?
I don’t know if it’s a
I don’t know if it’s a coincidence but I had 3 suspicious transactions on my credit card saved on wiggle by Uber in India (never been to india) and had to cancel the card.
This sounds like a simple
This sounds like a simple case of credential stuffing.
Wiggle can’t do anything about this, short of implementing two-factor authentication.
This is the fault of people who re-use passwords.
Get a password manager and use it!
I’m curious about this as
I’m curious about this as when I went to change my password, I saw that my existing password was an extremely weak one that I know has been compromised in the past (through other websites – might have been XKCD). However, my Wiggle account hasn’t been abused (by anyone else) so that seems to me like there’s some other route that the crims have used to get credentials.
I can also confirm that Wiggle store card details and I can happily order without putting in the CVV. As I understand it, the credit card companies have found it cheaper to push most of the security details onto the retailers. If a retailer accepts orders and ships out expensive parts to a different country, then it’ll be the retailer that’s left with the bill as the credit card company will just reverse the charge.
hawkinspeter wrote:
https://haveibeenpwned.com might be able to tell you where.
Actually, it was Kickstarter
Actually, it was Kickstarter (changed password since) and MyFitnessPal (which I haven’t used in years).
srchar wrote:
Wiggle can’t do anything about this, short of implementing two-factor authorisation.
This is the fault of people who re-use passwords.
Get a password manager and use it!— srcharYes, it appears to be that emails and passwords lifted from elsewhere have been used. Common password across multiple sites are an absolute no-no (and far too many people use really dumb passwords).
A password manager isn’t 100% safe but it’s far, far better than reusing a password, even a complex one.
But not retaining your card data is just as vital.