Support road.cc

Like this site? Help us to make it better.

news

Wiggle says customers’ login details were obtained externally by hackers to access accounts

Online giant also promises to refund people affected, and recommends users reset passwords

Wiggle says that login details of customers that hackers used to gain access to accounts and order goods were obtained from outside its own systems. The online retailer says it will refund people who have been affected, and has recommended that customers change their passwords.

As we reported yesterday, a number of the company’s customers a number of its customers have reported in recent days that they have received confirmation of orders for items they hadn’t bought, and did not recognise the delivery addresses the goods were to be sent to.

> Wiggle investigating suspected cyber attack on customers' accounts

In statement issued today, the company’s CEO, Ross Clemmow, said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.

“We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.

“To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.

“We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”

Concerned customers began raising the alarm on social media last week, with more cases being flagged up to the retailer over the weekend.

Yesterday, a road.cc reader got in touch with us to say that a £30 order had been made on his account without his knowledge, while another customer tweeted that £237.50 had been debit from his bank account after someone ordered a Castelli skinsuit using his Wiggle account details.

Wiggle has recommended that people use the website Have I Been Pwned to check whether their email address has been compromised.

To enhance your online security, you can also use the 1Password service, which is integrated with Have I Been Pwned, and which uses “strong, unique passwords for every account” you have to minimise the impact of any data breach to just the account in question.

Simon joined road.cc as news editor in 2009 and is now the site’s community editor, acting as a link between the team producing the content and our readers. A law and languages graduate, published translator and former retail analyst, he has reported on issues as diverse as cycling-related court cases, anti-doping investigations, the latest developments in the bike industry and the sport’s biggest races. Now back in London full-time after 15 years living in Oxford and Cambridge, he loves cycling along the Thames but misses having his former riding buddy, Elodie the miniature schnauzer, in the basket in front of him.

Add new comment

39 comments

Avatar
leqin | 3 years ago
0 likes

As a regular user of Wiggle, the somewhat indifferent explanation that it was from 'outside their own system' doesn't create a very good impression. I can well imagine what someone like Steve Gibson would have to say about Wiggle as a company if this appeared on Security Now - you should have emailed all of your customers telling them to reset their passwords and I should have had that email by now..... you send me umpteen emails a week telling me about every special offer under the sun, but apparantly account security is of lower priority.

Oh - and you own Chain Reaction and also Bike24 and we should be told if they also are involved and could any of those account details be compromised: in fact maybe its best to assume that you screwed up and actually someone gained access to everybodys account details for every account with any of your divisions and thats happened far to many times in the past from companys who announced something that sounds as lame as your statement sounds to me Wiggle.

Avatar
David9694 | 3 years ago
0 likes

Wiggle says customers’ login details were obtained externally by hackers to access accounts

in other news, large predatory mammal inhabiting forested area "believed to deficate"

Avatar
Hirsute | 3 years ago
0 likes

What happend to the one time codes we were all supposed to be using? Wasn't that due to be in play by now ?

If you did have to get a code in an SMS or other to use with the purchase then that would reduce the fraud by some margin.

 

Avatar
allez1984 | 3 years ago
0 likes

This happened to me on 19/5 for a gift voucher. I reported it and 8 days later they came back to say I was a one off and no other occurrences had happened. They should have acted then and not now, a month later. By changing the email and passwords of the account me they have not only ordered goods but have had week long access to peoples accounts, including their home addresses and order histories to see where their bikes are kept. Shocking from Wiggle.

Avatar
fenix | 3 years ago
0 likes

How does this work ? So people can order skinsuits and stuff and send them to the criminals address ? Would that address not be then known to the police ?

Obviously we'd rather this didnt happen but I'm not sure I see the criminal getting away with it ? Also Castelli sizing is all over the place so it prob won't fit them.

Avatar
mdavidford replied to fenix | 3 years ago
0 likes

One common trick is to have the orders mailed to addresses in blocks of flats, etc. with a common mail delivery area. Then they just loiter around the area and collect the parcels before the real occupants of the addresses turn up to check their mail.

Another is to rent space somewhere using fake details, place a large number of orders all in one go to be delivered to that address, then disappear after a few days before the police turn up (and without actually paying the rent).

Of course it doesn't really matter to them whether they actually take delivery of all the packages (if some are delayed, or the real address owner gets to them first) since they're not paying for them in the first place.

Avatar
Secret_squirrel | 3 years ago
0 likes

Hmm if this is true Wiggle should explain who the external provider is, and why there appears to be a significant overlap with Wiggle customers. Otherwise by Occam's razor the breach is theirs, not someone elses. I'd report them to ICO to be on the safe side.

Avatar
dodgy replied to Secret_squirrel | 3 years ago
0 likes

You'll notice that none of the affected individuals have stated they *do not* reuse passwords, quite the opposite, they're defending the practice.

 

Avatar
Sriracha replied to dodgy | 3 years ago
0 likes

Oh, who is defending the practice of using shared passwords?

Avatar
dodgy replied to Sriracha | 3 years ago
0 likes

You, in a "well people will just keep doing it" sort of way.

I don't.

Avatar
Sriracha replied to dodgy | 3 years ago
0 likes

I think you misunderstand me, perhaps deliberately. I am looking at this from the perspective of the Wiggle. Implementing a system for use by humans, known to be wide open to common human failure, is poor practice. They could know in advance what percentage of customers will come a cropper using it, it's a forgone conclusion. Presumably, as has been mentioned, they just figure it yields better business returns that way, even accounting for bailing them out.

Avatar
mdavidford replied to Secret_squirrel | 3 years ago
0 likes
Secret_squirrel wrote:

Hmm if this is true Wiggle should explain who the external provider is, and why there appears to be a significant overlap with Wiggle customers.

Has road.cc checked to see if there's been any suspicious activity on their servers? 

Avatar
Drinfinity replied to Secret_squirrel | 3 years ago
0 likes

Quite possible that the breach is elsewhere. On this forum we would hear about users with shared passwords who buy bike parts. Maybe there is a forum out there where users are complaining their favourite hi-fi online store is hacked, and somewhere else that someone is buying expensive designer clothes. We just happen to be focussed on the wiggle users.

Easyjet was hacked a while ago, maybe those are the source of the stolen passwords.

 

Meanwhile I've changed mine and deleted my card (I use PayPal anyway)

Avatar
dodgy replied to Drinfinity | 3 years ago
1 like

I think you have the right idea.

Here's what I think happened.

1. People complain about suspicious orders to Wiggle

2. Wiggle InfoSec dept (probably very small and understaffed) do some triage and can find no evidence of a hack, yet people continue complaining

3. Out of their depth, they call an external Cyber Forensics team in (Mandiant or someone of that ilk)

4. The first thing Mandiant will do is ask for the 'hacked' userid/email addresses so they can compare them against compromised accounts (Mandiant and other companies are well connected and will be privy to compromise data that me and you don't get to see). They do this first because if they get a match, it saves a whole heap of investigative work which might take months to finish.

5. Mandiant tell Wiggle there's a match

 

Usually, Mandiant (or whatever company) won't tell them the source of the compromise, so Wiggle probably won't even know where it came from.

Wiggle's investigation lasted about 48 hours, which is about right when they get a match on a set of credentials elsewhere. Don't expect Wiggle to say "yeah, we got it from easyjet/linkedin/whatever" because they probably won't have been told.

If there was a security vulnerability on Wiggle's site, you can bet there won't have been just the odd victim, it would have been a fireball and you'd read about it everywhere, they'd also close the site.

Edit to add: We must also not exclude the possibility of a key logger/virus on the 'victims' machine.

Last post on this!

Avatar
Secret_squirrel replied to Drinfinity | 3 years ago
0 likes

I agree its entirely possible, but thats not relevant. 

If I have evidence they have provided access to my PII without my explicit consent they are liable under GDPR unless they can prove otherwise.   If I have reasonable evidence of a Wiggle PII leak, I'm not required to go around trying to prove it came from somewhere else - thats Wiggles job, and its the job of the ICO to hold them to account for it.   If Wiggle can show that all the breaches were external to the satisfaction of the ICO all well and good and fair play to them.  Just Wiggle sayin' its so isnt good enough.

On a lighter note - what if the "external provider" is CRC?  I'd lol. 

 

Avatar
DoctorFish | 3 years ago
1 like

Well this could explain why I struggled to put an order in on Monday.  The site kept bombing out at the point where it varifies my credit card.  Contacted customer services, they made no comment about being hacked or accounts being compromised and asked me to use a different web browser.  I had work to do, so I just left the order and put it through on Tuesday and all went through okay.

Avatar
Pawcraft | 3 years ago
0 likes

I don't know if it's a coincidence but I had 3 suspicious transactions on my credit card saved on wiggle by Uber in India (never been to india) and had to cancel the card.

Avatar
Zebulebu | 3 years ago
4 likes

Sounds like reused passwords. How many times do people need to be told not to do this?

Avatar
Sriracha replied to Zebulebu | 3 years ago
0 likes

How many times do retailers need to be told not to use simple username/password systems?

Avatar
Zebulebu replied to Sriracha | 3 years ago
4 likes

What do you expect them to do? Implement 2FA and Conditional Access? When people can't even be trusted not to re-use passwords because it's not convenient for them?

Avatar
Sriracha replied to Zebulebu | 3 years ago
1 like

I expect them to stop pissing in the wind. Two thirds of people reuse passwords, according to:
https://www.infosecurity-magazine.com/news/google-survey-finds-two-users/
Telling them they should not is futile. Admonishing them like you were their witless parent is even less useful.

Avatar
omid replied to Sriracha | 3 years ago
1 like

People will reuse passwords, that's just a fact. But not implementing 2FA or 3d-secure, and not asking for confirmation of an email change on a service that allows you to make purchases with saved cards,  is a explicit decision Wiggle have made somewhere along the line. 

Avatar
Sriracha replied to omid | 3 years ago
1 like

Indeed. And orders placed from novel devices on novel IP addresses simultaneously requesting novel delivery addresses - all secured by a username/password system which everybody knows fosters poor security hygiene, and no one knew it could happen. Sure, blame your customers, sounds like a business plan.

Avatar
kil0ran replied to Sriracha | 3 years ago
3 likes

It's all about stopping buyers from ending transactions prior to checkout. Amazon do it too - saved cards, no CVV requirement, able to send to any address. They're willing to take the hit because making checkout harder would impact sales much more than the occasional fraudulent transaction.

Avatar
srchar replied to Sriracha | 3 years ago
0 likes
Sriracha wrote:

Indeed. And orders placed from novel devices on novel IP addresses simultaneously requesting novel delivery addresses - all secured by a username/password system which everybody knows fosters poor security hygiene, and no one knew it could happen. Sure, blame your customers, sounds like a business plan.

If you block novel IP addresses, you also prevent people shopping on mobile phones connected to a mobile network and laptops in cafes/on trains etc.

When a driver close-passes a rider on a section of narrow road, do you blame the council for not widening it?

Avatar
Hirsute replied to srchar | 3 years ago
1 like

I think it was the 3 way novel combo that was being flagged as a security issue for further checks.

Avatar
Secret_squirrel replied to srchar | 3 years ago
1 like

Sriracha said nothing about blocking.   You just put additional security confirmations in place.

Avatar
Sriracha replied to srchar | 3 years ago
0 likes
srchar wrote:

When a driver close-passes a rider on a section of narrow road, do you blame the council for not widening it?

Actually, yes - you nailed it. Good road design accounts for human failure. Where a poor layout leads to repeated accidents you can point your finger at drivers not driving appropriate to the conditions, and keep enlarging the cemetry, or you can fix the road layout.

Avatar
srchar replied to Sriracha | 3 years ago
1 like
Sriracha wrote:
srchar wrote:

When a driver close-passes a rider on a section of narrow road, do you blame the council for not widening it?

Actually, yes - you nailed it. Good road design accounts for human failure. Where a poor layout leads to repeated accidents you can point your finger at drivers not driving appropriate to the conditions and keep supplying the coffins, or you can fix the road layout.

We'd better rescind every driving penalty ever issued and sue the councils then.

Abandon personal responsiblity all ye who drive here.

Avatar
mdavidford replied to srchar | 3 years ago
1 like
srchar wrote:
Sriracha wrote:
srchar wrote:

When a driver close-passes a rider on a section of narrow road, do you blame the council for not widening it?

Actually, yes - you nailed it. Good road design accounts for human failure. Where a poor layout leads to repeated accidents you can point your finger at drivers not driving appropriate to the conditions and keep supplying the coffins, or you can fix the road layout.

We'd better rescind every driving penalty ever issued and sue the councils then.

Abandon personal responsiblity all ye who drive here.

Responsibility isn't all or nothing - it can be shared around.

In this analogy, the close-passing driver would be most akin to the fraudsters / hackers, the council / planners to the website developers and the banks, and the customers to the people cycling.

Blaming the customers is like critcising people for riding too close to the kerb and not further out to discourage the passes. There might be some truth to it, but they're just responding as humans do, and it's a distraction from addressing the real problem.

Pages

Latest Comments