News is breaking that the Green Bay Packers are notifying consumers that in October 2024, a threat actor broke into its official online store and installed a card skimmer script to steal payment and personal data from customers.
Key personal data exposed included names, addresses, email addresses, as well as credit card numbers with their verification numbers. Officials from the team are offering 3 years of credit monitoring and identity theft restoration via Experian to customers affected.
Below is expert commentary from HackerOne’s staff solutions architect:
Shobhit Gautam, Staff Solutions Architect at HackerOne
“To avoid similar schemes, websites using oEmbed should implement robust validation mechanisms to ensure any received data originates from a legitimate source and doesn’t contain malicious code.
“It’s essential for eCommerce sites and other online sellers to carefully vet and implement third-party APIs and features to ensure proper software supply chain hygiene. That also includes requiring third-party vendors and plugins to proactively and continuously assess their security postures, which can be done through engagements like pentests and Vulnerability Disclosure Programs.”