AeroGrow Reveals Data Hack
AeroGrow International Inc., a Colorado situated company that makes indoor gardens free of soil has said that some individuals while buying things on AeroGarden.com the company's website caused security breach which probably continued for a 5-month period, published scmagazine.com dated June 9, 2015.
It was learnt on 5th May 2015 at AeroGrow's office that its servers were infiltrated with malware so hackers could acquire the order information made available between October 15, 2014 and April 27, 2015.
This illegitimate access possibly resulted in the exposure of certain data associated with credit cards that possibly included card-holders' addresses, names, their A/C numbers, and dates-of-expiry along with CVV/CCV numbers of the payment cards.
Meanwhile AeroGrow formally stated that the company didn't garner other personal details regarding the clients such as driver's license code, PIN (personal identification number), SSN (social security number), alternatively financial account details, therefore, any of these personal information wasn't endangered with a compromise.
It's not clear what way the intrusion happened; however, AeroGrow uses software called Magento eCommerce for dealing with online orders. Since mid-2014, several vulnerabilities affected the software a few of which remained even 6-months following security researchers making responsible disclosures of the same.
A particular vulnerability that AppCheck disclosed during April 2014 which others too had disclosed earlier let hacking into user sessions through the exploitation of certain DOM-based XSS vulnerability that possibly went through one maliciously created web-link else certain form post onto the online site.
Although security patch to fix the Magento vulnerabilities maybe available, website administrators would normally take immense time for applying it.
With nearly an expiry of 3 months, while exploits appeared on the Web too, some 75,000-or-more Magento shops didn't possess the patched edition, thereby succumbing to assaults which let theft of financial information.
However, according to AeroGrow, they've removed the malware and buying on the Internet is secured like before.
CEO and President J. Michael Wolfe of AeroGrow expressing regret stated that the company had notified law enforcement officials so such crime could be eradicated while also facilitate protection of anybody shopping with payment card. Oag.ca.gov reported this, June 2, 2015.
» SPAMfighter News - 16-06-2015