Wiggle says customers’ login details were obtained externally by hackers to access accounts

Wiggle says that login details of customers that hackers used to gain access to accounts and order goods were obtained from outside its own systems. The online retailer says it will refund people who have been affected, and has recommended that customers change their passwords.

As we reported yesterday, a number of the company’s customers a number of its customers have reported in recent days that they have received confirmation of orders for items they hadn’t bought, and did not recognise the delivery addresses the goods were to be sent to.

> Wiggle investigating suspected cyber attack on customers' accounts

In statement issued today, the company’s CEO, Ross Clemmow, said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.

“We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.

“To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.

“We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”

Concerned customers began raising the alarm on social media last week, with more cases being flagged up to the retailer over the weekend.

@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I cant access your website.

— hayley badger (@hayleybadger) June 14, 2020

Yesterday, a road.cc reader got in touch with us to say that a £30 order had been made on his account without his knowledge, while another customer tweeted that £237.50 had been debit from his bank account after someone ordered a Castelli skinsuit using his Wiggle account details.

@Wiggle_Sport someone broke into my account and ordered this. I told c ustomer services as it happened but no one has come back to me. pic.twitter.com/ydhe8tDUiU

— Kobi Omenaka (@Kobestarr) June 15, 2020

Wiggle has recommended that people use the website Have I Been Pwned to check whether their email address has been compromised.

To enhance your online security, you can also use the 1Password service, which is integrated with Have I Been Pwned, and which uses “strong, unique passwords for every account” you have to minimise the impact of any data breach to just the account in question.