Hammernutrition.com hacked

I just got an email from Hammer that their website was hacked. Any who made purchases between Jan 2018 and October 2018 had their credit card info breached.

" What Information Was Involved?
The information that the attacker(s) had access to included: debit/credit card number, expiration date, and three-digit credit card validation code. No other customer information was accessed."

Sounds like a worst case scenario with unencrypted credit card info taken. I called by credit card company and asked for a new card to be issued.

Posted here in case others impacted.

Not good

Thanks for the update. I am surprised I did not hear this from them first…

Indeed, still waiting on my email from them.

From the email, the breach may have happened between January 2018 and October 2018. Here is the email in full…

Dear Valued Customer,

It is with deep regret that I am writing to inform you of an incident involving access to information associated with online purchases made on our websitewww.hammernutrition.com. We are providing notice to you and other potentially affected customers about the incident, along with the steps we have taken to remediate this malicious breach, and assurance that our site is now secure.

What Happened?
We discovered that our website, www.hammernutrition.com, experienced an intrusion earlier this year. A third-party company (our “website provider”) operates our site. The website provider’s systems experienced the intrusion. The intruder or intruders placed malware on the website provider’s servers, and by doing so gained access to our customers’ payment card data. Our investigation indicates that the intrusion began approximately in January 2018 and ended in October 2018. The attackers gained access to customer information, listed below, as transactions were made on the website provider’s systems. Because you used your payment card information for web orders in the past, we are notifying you of this data breach.

What Information Was Involved?
The information that the attacker(s) had access to included: debit/credit card number, expiration date, and three-digit credit card validation code. No other customer information was accessed.

What Are We Doing?
Our website provider has worked with a leading cybersecurity firm to identify and remove the malware from its systems. Our website provider is actively monitoring the platform to safeguard personal information. A web application firewall has also been installed. Additionally, we have secured our e-commerce credit card payment methodology by employing a third-party hosted provider for communications and management of customer’s personal information, including credit and debit card data. Our website,www.hammernutrition.com, is now 100% secure and safe to use for credit card transactions.

I am very sorry about this data breach and any inconvenience it may have caused you. I appreciate your patronage up until now and hope that it will continue in the future. We strive to not only provide you with superior products, knowledge, and customer service, but also to ensure you can safely and securely do business with us in this age of the internet. Our vigilance is heightened in this modern e-commerce era, and we will continue to invest in systems and technologies to achieve these goals.

For More Information
If there is anything else that I can do to assist you, please call 800.336.1977 on weekdays between the hours of 9:00 a.m. and 5:00 p.m. Mountain Time.

Sincerely,
Brian Frank
Owner, Founder and CEO
Hammer Nutrition

I buy from them all the time but I use paypal…haven’t seen an email yet…maybe paypal wasn’t breached.

Hmm. They’re not advertising this on their homepage, at least on the mobile version I can’t even see “enews” menu item.

The url is either deliberately obfuscated behind the q/diMpVnaDZ6o8qS8_1D9_ede6HipuiHEEQod77tiPcfK1W3BDtADVR9PqLY_w or enews.hammernutrition.com is not an official subdomain.

Assuming it’s a legit communication, claiming to be 100% secure is a good indicator that they don’t have professionals on the job.

Interesting.

I just spoke to Miles (Niles?) @ Hammer and the email is legit. The email was only sent to customers that may have been effected.

Awesome, I received an email. This is like the 4th email I’ve received in the past two years from different companies that my information “may” have been compromised. At this point I can’t imagine who DOESN’T have my information

Just in case anyone feels left out my SS# is 377-88-1917, dob: 12/8/1977, credit card number: 9821 5111 2022 4144, expiration date 08/21 and security code 155

Looks like I have work to do

Thanks for the pimped out S-Works!

Follow up email…

Dear Valued Client,

I apologize for the form email you received yesterday - it contained information required by your state and did not include “the whole story”. So, here is the rest of the story, which I hope will help assuage your concerns, both past and future. Your data security is of paramount importance to me and every measure has been taken to protect you.

The below information should address your concerns, but if it does not, please feel free to call me directly.

The previous notice you received, indicated what we have done to correct the breach and to insure your data security going forward. This email includes more information on what, if anything, you might do as well as additional answers to your questions.

• Only the credit/debit card number, expiration date and three digit security code were stolen from the web site. Name and or billing address was not part of the data breached. Due to this very limited amount of data, the hackers were unable to do anything but attempt to use the card which immediately triggered a fraud alert and the card number was deactivated.

• Without name, phone number and billing address, there is no way the card data alone could be used for identity theft or other theft from you.

There was no compromise of our internal systems. We do not store any credit/debit card information internally and have not for years.

• Only a small fraction of those of you who received this notice actually had your card information compromised - less than 10% were actually affected, see below for more. During the same time frame, over 10,000 Magento platform web sites were breached in the same way, including British Airways. This is little comfort to me or you, but hopefully does indicate the scale and sophistication of the hackers.

• If you order by phone, USPS mail, or any other means besides using a credit card on our web site, you are not in this group and have no cause for concern.

Only those of you who placed an order on our web site during the time window MAY have had credit card data stolen.

WHAT TO DO:

• IF you used a credit card on our web site and were then notified by the issuing bank of suspicious activity and had your card replaced, then you were one of the unfortunate few. However, the good news is that your new card data is safe and there is no other cause for concern.

• IF you placed an order on our site during this time window, but have NOT been notified by your credit card issuing bank that fraud activity had been detected and a new card issued, your card data was not compromised.

However, as an added measure of protection, we do recommend that you contact your bank and have them issue you a new card. If you are unsure of which card you may have used, please feel free to contact us and we can tell you the last 4 digits of the card used - this is the only part of your credit card information we ever see or have on file.

Below are additional resources that you may find of interest regarding credit card security and free credit monitoring services.

Again, my sincerest apologies for this inconvenience and the undue alarm that my previous email may have caused you.

Best regards,
Brian
Owner, Founder and CEO

lendingtree.com
creditkarma.com
identityforce.com
lifelock.com
pcmag.com
heimdalsecurity.com

I get what you’re trying to do, but the existence of a PAN on the TR forum (which you’ve posted) brings the forum into scope of PCI DSS, and they’ll need to delete it and ensure it’s deleted from their logs and backups in order to attest to compliance and be allowed to continue to trade using credit cards.

Ummm… that was just made up numbers, I was being funny

I thought so but I don’t have a LUN checker on my phone so I couldn’t verify whether it was real or not.

I’m a bit under the weather and grumpy too

Sorry…

And it’s not my place either way, so I don’t know what I was thinking.

@MI-XC I assumed that immediately . . . and was cracking up. You added great levity to the situation. Thanks.

I have never used Hammer Nutrition before but I know I never will now. What sort of company allows un-encrypted credit card information on either their own servers or a 3rd party they have contracted out to to manage that information.

It doesn’t really help to know that British Airways has been hacked as well.

You are your own best privacy policy, stop sharing personal data with these companies, they’ve proven time and time again that they cannot be trusted with our personal and sensitive data. This includes social media, retail outlets, the government, etc. Use unique email addresses, and payment systems like privacy.com to protect yourself. Encrypt everything and mask your personal details whenever possible.

Okay but you could at least make your username pronounceable. Use one of those pronounceable password generators if you must.