Bodybuilding.com forces password reset after a security breach

Bad news for fitness and bodybuilding passionates, the popular online retailer Bodybuilding.com announced that hackers have broken into its systems.

The popular online retailer website Bodybuilding.com announced last week that hackers have broken into its systems. The website offers any kind of fitness articles, exercises, workouts, and supplements.

The company confirmed it has no evidence that personal customer information was accessed or misused, as a precautionary measure the company is notifying all current and former users and customers.

“Bodybuilding.com recently became aware of a data security incident that may have affected certain customer information in our possession. We have no evidence that personal information was accessed or misused, but we are directly notifying all current and former users and customers out of an abundance of caution.” reads the announcement published on the website.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed.”

The company hired a security firm to investigate the incident, it discovered that the attack begun with a phishing email received in July 2018.

The company reported the incident to law enforcement and with the help of the security firm is addressing the flaws exploited by the attackers and remediate the incident. The IT staff behind Bodybuilding.com also introduced additional security measures and forced a password reset for its customers.

Data potentially exposed in the incident includes name, Bodybuilding.com usernames and passwords. email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in the BodySpace profile.

According to the firm, potentially accessed data don’t include full payment card numbers because the firm does not store them.

“The information potentially accessed in this incident does NOT include full credit or debit card numbers, as we do not store those numbers when customers make purchases in our store.” continues the data breach notification note. “If you’ve opted to store your card in your account, we store only the last four digits of your payment card number for reference and use by you for subsequent purchases, but never the entire card number.”

As usual. Bodybuilding.com users have to change their password for any other account on which they might have used the same credentials as for the Bodybuilding.com account.

Below recommendations provided by the company:

• Change your password for any other account on which you used the same or similar information used for your Bodybuilding.com account.
• Review your accounts for suspicious activity.
• Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
• Avoid clicking on links or downloading attachments from suspicious emails.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

[adrotate banner=”5″]

[adrotate banner=”13″]