Pierluigi Paganini
December 30, 2024
ZAGG Inc. disclosed a data breach that exposed its customers’ credit card data after threat actors hacked a third-party application from its e-commerce provider BigCommerce. The company has not disclosed the number of impacted customers were impacted by this security breach.
ZAGG Inc. is a consumer electronics accessories company based in the United States. It is best known for producing products like screen protectors, mobile device cases, power banks, wireless charging devices, and other smartphone and tablet accessories.
ZAGG notified law enforcement authorities and told impacted customers that threat actors gained access to their data via BigCommerce’s FreshClick app. Compromised customer payment data includes names, addresses, and card details.
Attackers injected a malicious code in the FreshClick app to scrap credit card data from ZAGG.com transactions between October 26 and November 7, 2024.
“On November 8, 2024, our e-commerce software platform provider, BigCommerce Inc. (“BigCommerce”), notified us that a third-party application (“FreshClick”) offered by BigCommerce and used in connection with ZAGG.comexperienced a compromise.” reads the data breach notification. “We promptly took steps to secure ZAGG.com and initiated an investigation to determine what happened and identify what information was affected. Through this investigation, we learned that an unknown actor injected into the FreshClick app malicious code that was designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024 and November 7, 2024. What Information Was Involved? The information that may have been affected includes names, addresses, and payment card data.”
FreshClick is not developed by BigCommerce, which told Bleeping Computer that its systems were secure. BigCommerce discovered and removed a hacked FreshClick app from customer stores.
ZAGG announced the implementation of security measures to minimize the risk of a similar event occurring in the future. The company is also offering impacted customers 12 months of free Experian credit monitoring.
“To help protect your identity, we are offering complimentary access to Experian IdentityWorksSM for [Extra2] months.” concludes the notification. “If you believe there was fraudulent use of your information as a result of this event and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the event (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
