Eggfree Cake Box, a UK chain of stores selling celebration cakes made without eggs, has announced that its website was hacked by threat actors. Attackers reportedly the store customers’ stole credit card numbers.
Cake Box revealed its website was hacked in 2020, when cybercriminals added malicious scripts that harvested customer information. The breach was found on April 27, 2020, when it was reported to the company by their payment processing provider Global Payments.
After an investigation, it was revealed that an unauthorized third party had gained access to the company’s systems and placed certain malware on its website. When customers made purchases on a website that was infected, these malicious scripts sent their first and last names, email address, and payment card details to the attackers’ remote server.
“We immediately launched a thorough investigation of our systems in response and, with the help of experienced third-party security specialists, determined that an unauthorised third party had indeed recently gained access to the Cake Box website and placed certain malware on it”, disclosed Cake Box in a data breach notification sent to customers.
“Using this malware, the third party was able to copy certain information provided by our customers when making purchases from our website. We were then subsequently made aware that, in certain instances, this information has been used to make fraudulent purchases.”
This breach appears to have been caused by a MageCart attack in which a hacker tries to compromise an eCommerce site and inject malicious scripts to the customer’s payment confirmation pages. These scripts will monitor the checkout pages and transmit the credit card information to a remote site.
The attackers can then steal the information from the servers and sell it on the dark web.
If you have received a notification about the data breach from Cake Box, you should review your transactions and make sure that no fraudulent charges are present.