Fans of the NFL team Green Bay Packers had their personal and sensitive details exposed after a “malicious code” was injected into Pro Shop – the team’s website for merch – and other services.
The non-profit behind the NFL team, the Green Bay Packers, Inc., sent out a breach notification letter about a recent cyberattack. According to the letter, threat actors inserted malicious code on the Pro Shop, operated by a third-part vendor.
Packers learned about the incident in late October 2024 and launched the attacks’ investigation, uncovering that attackers may have stolen sensitive details between September 23rd-24th, 2024, and October 3rd-23rd, 2024.
The organization told Cybernews “only a limited number of individuals who conducted credit card transactions on the website” were impacted by the breach. Information the Packers disclosed to the Maine Attorney General's office indicated over 8,500 people were impacted by the cyberattack.
Meanwhile, the notification suggests that the malicious code allowed attackers to view and steal data Pro Shop users submitted on the checkout page. As a result, sensitive user details may have been exposed, including:
- Names
- Billing and shipping addresses
- Email addresses
- Credit card types
- Credit card numbers
- Credit card expiration dates
- Credit card verification (CVV) numbers
The only silver lining is that purchases using gift cards, Pro Shop website account, Paypal, or Amazon Pay, were not impacted by the attack.
“The incident was limited to the single e-commerce website and did not affect any other Packers information technology or data. We are working closely with our vendors and third-party experts to ensure our sites are as secure as possible for our fans,” Packers' representative told Cybernews.
While the original point of hackers' entry remains unknown, Steve Povolny, Senior director of security research at Exabeam called the attack and “unnecessary hacking,” saying that with proper monitoring, similar attacks can be stopped even after malicious actors establish the primary foothold.
“Whether a server-side vulnerability such as XSS (Cross-site scripting), social engineering such as phishing, or a configuration issue on login/authentication, it is important to remember that both the original points of entry and all follow-up vectors must be monitored and tracked,” Povolny said.
“The incident was limited to the single e-commerce website and did not affect any other Packers information technology or data.”
Packers fans in danger
The attack severely threatens users whose data was exposed. To state the obvious, cybercrooks can utilize full credit card details for unauthorized purchases up until the payment cards are maxed out or cancelled.
Worse still, customers' personal information was exposed, enabling malicious actors to craft sophisticated identity theft schemes. At least in theory, attackers could open new credit accounts, apply for loans, and devise phishing campaigns against victims to further profit from them.
Since attackers know the victims most likely are Packers fans, they could impersonate the organization and affiliated entities with various scams and spear-phishing attacks.
Credit card details are a treasured prize on the dark web, where cybercriminals compile and sell stolen information on underground marketplaces. In other words, whoever stole the data from Packers’ website may not be the ones who’ll exploit them.
To help victims mitigate the issue, Packers said the organization will provide 36 months of free credit monitoring and identity theft restoration services. The attack’s victims are also advised to stay vigilant, review account statements, and monitor free credit reports for even a whiff of fraudulent activity.
Established in 1923, Green Bay Packers is the only NFL club operated as a non-profit entity. The team is based in Green Bay, Wisconsin’s third most populous city. The Packers won the Super Bowl four times, in 1967, 1968, 1997, and 2011.
Updated on January 8th [08:30 a.m. GMT] with a statement from the Green Bay Packers.
Your email address will not be published. Required fields are markedmarked