Hackers compromise Newegg's payment server

Photo via Twitter

Investigators say customer credit card information may have been exposed

Consumers who made purchases at Newegg between August 14 and September 18 may have a compromised credit card in their wallet.

The popular online electronics retailer was compromised by hackers who were able to insert "skimming" code into the site's checkout page, capturing consumers' credit card information.

The incident response firm Volexcity found the code and reported it to Newegg, which removed it from the page on Tuesday. The company has not made a formal statement on the breach but TechCrunch has reported customers have received emails from the company saying it hasn't been determined how many credit cards may have been compromised.

Magecart strikes again

Volexcity attributes the attack to the Magecart group -- hackers accused of carrying out a similar breach of British Airways' online payment system.

"As it turns out, a nearly identical data theft campaign was being carried out against Newegg at the same time," Volexcity said in a report. "In fact, it appears the Newegg compromise may have started nearly a week earlier."

That also raises the frightening possibility that other ecommerce sites have also been compromised by the same group, but have not yet been discovered.

Volexcity reports the hackers have also become more efficient, using just eight lines of code to carry out the Newegg attack, down from 21 lines in the British Airways attack.

What to do

Consumers who made purchases at Newegg between August 14 and September 18 should immediately check their credit or debit card statements for unauthorized charges.

Even if none are detected, it is prudent to contact the card issuer's customer service representative and inform them the card may have been compromised. Most likely, the card issuer will cancel the old card and issue a new one.

If unauthorized charges have been made to a compromised credit card, the cardholder's liability under federal law is limited to $50. If the cardholder reports the card has been compromised before any fraudulent charges are made, they bear no liability for any subsequent fraudulent charges.

Different banks have different policies regarding fraudulent charges made to debit cards, which is why it is always advisable to use a credit card, not a debit card, when making online purchases.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.