Wiggle says that login details of customers that hackers used to gain access to accounts and order goods were obtained from outside its own systems. The online retailer says it will refund people who have been affected, and has recommended that customers change their passwords.
As we reported yesterday, a number of the company’s customers a number of its customers have reported in recent days that they have received confirmation of orders for items they hadn’t bought, and did not recognise the delivery addresses the goods were to be sent to.
> Wiggle investigating suspected cyber attack on customers’ accounts
In statement issued today, the company’s CEO, Ross Clemmow, said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.
“We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.
“To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.
“We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”
Concerned customers began raising the alarm on social media last week, with more cases being flagged up to the retailer over the weekend.
@Wiggle_Sport Are you under cyber attack? I’ve received an email to say someone’s changed my account to their email address and I cant access your website.
— hayley badger (@hayleybadger) June 14, 2020
Yesterday, a road.cc reader got in touch with us to say that a £30 order had been made on his account without his knowledge, while another customer tweeted that £237.50 had been debit from his bank account after someone ordered a Castelli skinsuit using his Wiggle account details.
@Wiggle_Sport someone broke into my account and ordered this. I told c ustomer services as it happened but no one has come back to me. pic.twitter.com/ydhe8tDUiU
— Kobi Omenaka (@Kobestarr) June 15, 2020
Wiggle has recommended that people use the website Have I Been Pwned to check whether their email address has been compromised.
To enhance your online security, you can also use the 1Password service, which is integrated with Have I Been Pwned, and which uses “strong, unique passwords for every account” you have to minimise the impact of any data breach to just the account in question.
39 thoughts on “Wiggle says customers’ login details were obtained externally by hackers to access accounts”
Sounds like reused passwords.
Sounds like reused passwords. How many times do people need to be told not to do this?
How many times do retailers
How many times do retailers need to be told not to use simple username/password systems?
What do you expect them to do
What do you expect them to do? Implement 2FA and Conditional Access? When people can’t even be trusted not to re-use passwords because it’s not convenient for them?
I expect them to stop pissing
I expect them to stop pissing in the wind. Two thirds of people reuse passwords, according to:
https://www.infosecurity-magazine.com/news/google-survey-finds-two-users/
Telling them they should not is futile. Admonishing them like you were their witless parent is even less useful.
People will reuse passwords,
People will reuse passwords, that’s just a fact. But not implementing 2FA or 3d-secure, and not asking for confirmation of an email change on a service that allows you to make purchases with saved cards, is a explicit decision Wiggle have made somewhere along the line.
Indeed. And orders placed
Indeed. And orders placed from novel devices on novel IP addresses simultaneously requesting novel delivery addresses – all secured by a username/password system which everybody knows fosters poor security hygiene, and no one knew it could happen. Sure, blame your customers, sounds like a business plan.
It’s all about stopping
It’s all about stopping buyers from ending transactions prior to checkout. Amazon do it too – saved cards, no CVV requirement, able to send to any address. They’re willing to take the hit because making checkout harder would impact sales much more than the occasional fraudulent transaction.
Sriracha wrote:
If you block novel IP addresses, you also prevent people shopping on mobile phones connected to a mobile network and laptops in cafes/on trains etc.
When a driver close-passes a rider on a section of narrow road, do you blame the council for not widening it?
I think it was the 3 way
I think it was the 3 way novel combo that was being flagged as a security issue for further checks.
Sriracha said nothing about
Sriracha said nothing about blocking. You just put additional security confirmations in place.
srchar wrote:
Actually, yes – you nailed it. Good road design accounts for human failure. Where a poor layout leads to repeated accidents you can point your finger at drivers not driving appropriate to the conditions, and keep enlarging the cemetry, or you can fix the road layout.
Sriracha wrote:
We’d better rescind every driving penalty ever issued and sue the councils then.
Abandon personal responsiblity all ye who drive here.
srchar wrote:
We’d better rescind every driving penalty ever issued and sue the councils then.
Abandon personal responsiblity all ye who drive here.— srchar
Responsibility isn’t all or nothing – it can be shared around.
In this analogy, the close-passing driver would be most akin to the fraudsters / hackers, the council / planners to the website developers and the banks, and the customers to the people cycling.
Blaming the customers is like critcising people for riding too close to the kerb and not further out to discourage the passes. There might be some truth to it, but they’re just responding as humans do, and it’s a distraction from addressing the real problem.
mdavidford wrote:
Indeed. So why should Wiggle shoulder all of the blame and all of the losses?
srchar wrote:
They shouldn’t. Most of the blame should fall on the fraudsters, and if they can be caught and made to make good they should be. Unfortunately there’s not much chance of that happening. After that, most blame should be on those who designed the system without considering how humans actually behave. That probably actually means the banks/payment providers, rather than Wiggle, and Wiggle may well try to claim the losses back from them. Least blame and consequence should fall on those trying to use a system that isn’t fit for purpose.
mdavidford wrote:
— mdavidfordSo if people continue to flock to crowded tube stations and use public transport during a pandemic after they have been told that’s it’s unsafe then is that the government’s fault? They are “just responding as humans do”?
Would you walk home from the pub alongside a canal after there have been reports of people being mugged and pushed into the water? Is it the police at fault for not ensuring your safe passage?
If a scammer rings you up and claims to be from BT or Microsoft do you blame the company when that claim turns out to be a lie after he remotely accesses your PC and siphons your bank details and list of passwords?
If you go on holiday and leave a note on your front door about where the key is kept what will your insurance company say?
The internet has been here for long enough now and people know it’s like the Wild West. As individuals we can’t control how our data we give to one entity is stored and may be held, transmitted, copied or abused without our knowledge. Taking responsibility by not reusing passwords is one good way for the individual to safeguard their data.
Simon E wrote:
If they’ve been told that they need to return to work, that they will no longer be supported if they don’t, and they haven’t been given any good alternative transport options, then yes.
It depends whether I have a good alternative route.
The police may bear some responsibility, if they’ve been concentrating their resources on, say, harassing people cycling without hi-viz and helmets, instead of increasing their presence in the area.
The council may bear some if they’ve neglected to maintain lighting, etc. along the route.
No – I would blame the scammer.
If the scammer subsequently made hugely out-of-character purchases on my account and my bank accepted them without checking with me, I would probably change my bank.
I don’t see how this scenario is relevant – what possible purpose could that serve that there wouldn’t be a straightforward alternative to?
Nobody’s denying that. But saying there are measures that individuals can take to mitigate the dangers does not absolve those who create the systems of the responsibility to design them in such a way that they minimise the dangers in the first place.
Ok, so you and others are
Ok, so you and others are moaning about having to have a different password on every site, because it’s inconvenient.
But you can’t wait to have to authenticate by 2FA for every purchase?
Come on, you’re just pushing the blame, the only people to blame here are the divvies who use the same password on mulitiple sites, anyone involved should be grateful that Wiggle baled them out.
dodgy wrote:
If I could like this 100 times, I would.
dodgy wrote:
— dodgyI’d put some blame on the companies who allowed their data to be left on exposed servers for anyone to hoover up. Duty of care and all that.
But that does not get users off the hook. They really should be more careful, since it’s their data that is exposed and then abused.
Sriracha wrote:
The people who use the same password on every site are the people who also complain when a website forces them to choose a complex password, when they don’t get bailed out when their own lax attitude to security costs them personally and when they have to use “one of those stupid card reader things”.
Sriracha wrote:
FTFY
I don’t know if it’s a
I don’t know if it’s a coincidence but I had 3 suspicious transactions on my credit card saved on wiggle by Uber in India (never been to india) and had to cancel the card.
Well this could explain why I
Well this could explain why I struggled to put an order in on Monday. The site kept bombing out at the point where it varifies my credit card. Contacted customer services, they made no comment about being hacked or accounts being compromised and asked me to use a different web browser. I had work to do, so I just left the order and put it through on Tuesday and all went through okay.
Hmm if this is true Wiggle
Hmm if this is true Wiggle should explain who the external provider is, and why there appears to be a significant overlap with Wiggle customers. Otherwise by Occam’s razor the breach is theirs, not someone elses. I’d report them to ICO to be on the safe side.
You’ll notice that none of
You’ll notice that none of the affected individuals have stated they *do not* reuse passwords, quite the opposite, they’re defending the practice.
Oh, who is defending the
Oh, who is defending the practice of using shared passwords?
You, in a “well people will
You, in a “well people will just keep doing it” sort of way.
I don’t.
I think you misunderstand me,
I think you misunderstand me, perhaps deliberately. I am looking at this from the perspective of the Wiggle. Implementing a system for use by humans, known to be wide open to common human failure, is poor practice. They could know in advance what percentage of customers will come a cropper using it, it’s a forgone conclusion. Presumably, as has been mentioned, they just figure it yields better business returns that way, even accounting for bailing them out.
Secret_squirrel wrote:
Has road.cc checked to see if there’s been any suspicious activity on their servers?
Quite possible that the
Quite possible that the breach is elsewhere. On this forum we would hear about users with shared passwords who buy bike parts. Maybe there is a forum out there where users are complaining their favourite hi-fi online store is hacked, and somewhere else that someone is buying expensive designer clothes. We just happen to be focussed on the wiggle users.
Easyjet was hacked a while ago, maybe those are the source of the stolen passwords.
Meanwhile I’ve changed mine and deleted my card (I use PayPal anyway)
I think you have the right
I think you have the right idea.
Here’s what I think happened.
1. People complain about suspicious orders to Wiggle
2. Wiggle InfoSec dept (probably very small and understaffed) do some triage and can find no evidence of a hack, yet people continue complaining
3. Out of their depth, they call an external Cyber Forensics team in (Mandiant or someone of that ilk)
4. The first thing Mandiant will do is ask for the ‘hacked’ userid/email addresses so they can compare them against compromised accounts (Mandiant and other companies are well connected and will be privy to compromise data that me and you don’t get to see). They do this first because if they get a match, it saves a whole heap of investigative work which might take months to finish.
5. Mandiant tell Wiggle there’s a match
Usually, Mandiant (or whatever company) won’t tell them the source of the compromise, so Wiggle probably won’t even know where it came from.
Wiggle’s investigation lasted about 48 hours, which is about right when they get a match on a set of credentials elsewhere. Don’t expect Wiggle to say “yeah, we got it from easyjet/linkedin/whatever” because they probably won’t have been told.
If there was a security vulnerability on Wiggle’s site, you can bet there won’t have been just the odd victim, it would have been a fireball and you’d read about it everywhere, they’d also close the site.
Edit to add: We must also not exclude the possibility of a key logger/virus on the ‘victims’ machine.
Last post on this!
I agree its entirely possible
I agree its entirely possible, but thats not relevant.
If I have evidence they have provided access to my PII without my explicit consent they are liable under GDPR unless they can prove otherwise. If I have reasonable evidence of a Wiggle PII leak, I’m not required to go around trying to prove it came from somewhere else – thats Wiggles job, and its the job of the ICO to hold them to account for it. If Wiggle can show that all the breaches were external to the satisfaction of the ICO all well and good and fair play to them. Just Wiggle sayin’ its so isnt good enough.
On a lighter note – what if the “external provider” is CRC? I’d lol.
How does this work ? So
How does this work ? So people can order skinsuits and stuff and send them to the criminals address ? Would that address not be then known to the police ?
Obviously we’d rather this didnt happen but I’m not sure I see the criminal getting away with it ? Also Castelli sizing is all over the place so it prob won’t fit them.
One common trick is to have
One common trick is to have the orders mailed to addresses in blocks of flats, etc. with a common mail delivery area. Then they just loiter around the area and collect the parcels before the real occupants of the addresses turn up to check their mail.
Another is to rent space somewhere using fake details, place a large number of orders all in one go to be delivered to that address, then disappear after a few days before the police turn up (and without actually paying the rent).
Of course it doesn’t really matter to them whether they actually take delivery of all the packages (if some are delayed, or the real address owner gets to them first) since they’re not paying for them in the first place.
This happened to me on 19/5
This happened to me on 19/5 for a gift voucher. I reported it and 8 days later they came back to say I was a one off and no other occurrences had happened. They should have acted then and not now, a month later. By changing the email and passwords of the account me they have not only ordered goods but have had week long access to peoples accounts, including their home addresses and order histories to see where their bikes are kept. Shocking from Wiggle.
What happend to the one time
What happend to the one time codes we were all supposed to be using? Wasn’t that due to be in play by now ?
If you did have to get a code in an SMS or other to use with the purchase then that would reduce the fraud by some margin.
Wiggle says customers’ login
Wiggle says customers’ login details were obtained externally by hackers to access accounts
in other news, large predatory mammal inhabiting forested area “believed to deficate”
As a regular user of Wiggle,
As a regular user of Wiggle, the somewhat indifferent explanation that it was from ‘outside their own system’ doesn’t create a very good impression. I can well imagine what someone like Steve Gibson would have to say about Wiggle as a company if this appeared on Security Now – you should have emailed all of your customers telling them to reset their passwords and I should have had that email by now….. you send me umpteen emails a week telling me about every special offer under the sun, but apparantly account security is of lower priority.
Oh – and you own Chain Reaction and also Bike24 and we should be told if they also are involved and could any of those account details be compromised: in fact maybe its best to assume that you screwed up and actually someone gained access to everybodys account details for every account with any of your divisions and thats happened far to many times in the past from companys who announced something that sounds as lame as your statement sounds to me Wiggle.