Wiggle says that login details of customers that hackers used to gain access to accounts and order goods were obtained from outside its own systems. The online retailer says it will refund people who have been affected, and has recommended that customers change their passwords.
As we reported yesterday, a number of the company’s customers a number of its customers have reported in recent days that they have received confirmation of orders for items they hadn’t bought, and did not recognise the delivery addresses the goods were to be sent to.
In statement issued today, the company’s CEO, Ross Clemmow, said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.
“We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.
“To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.
“We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”
Concerned customers began raising the alarm on social media last week, with more cases being flagged up to the retailer over the weekend.
@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I cant access your website.
— hayley badger (@hayleybadger) June 14, 2020
Yesterday, a road.cc reader got in touch with us to say that a £30 order had been made on his account without his knowledge, while another customer tweeted that £237.50 had been debit from his bank account after someone ordered a Castelli skinsuit using his Wiggle account details.
— Kobi Omenaka (@Kobestarr) June 15, 2020
Wiggle has recommended that people use the website Have I Been Pwned to check whether their email address has been compromised.
To enhance your online security, you can also use the 1Password service, which is integrated with Have I Been Pwned, and which uses “strong, unique passwords for every account” you have to minimise the impact of any data breach to just the account in question.
Simon has been news editor at road.cc since 2009, reporting on 10 editions and counting of pro cycling’s biggest races such as the Tour de France, stories on issues including infrastructure and campaigning, and interviewing some of the biggest names in cycling. A law and languages graduate, published translator and former retail analyst, his background has proved invaluable in reporting on issues as diverse as cycling-related court cases, anti-doping investigations, and the bike industry. He splits his time between London and Cambridge, and loves taking his miniature schnauzer Elodie on adventures in the basket of her Elephant Bike.