Wiggle says that login details of customers that hackers used to gain access to accounts and order goods were obtained from outside its own systems. The online retailer says it will refund people who have been affected, and has recommended that customers change their passwords.
As we reported yesterday, a number of the company’s customers a number of its customers have reported in recent days that they have received confirmation of orders for items they hadn’t bought, and did not recognise the delivery addresses the goods were to be sent to.
In statement issued today, the company’s CEO, Ross Clemmow, said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.
“We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.
“To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.
“We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”
Concerned customers began raising the alarm on social media last week, with more cases being flagged up to the retailer over the weekend.
@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I cant access your website.
— hayley badger (@hayleybadger) June 14, 2020
Yesterday, a road.cc reader got in touch with us to say that a £30 order had been made on his account without his knowledge, while another customer tweeted that £237.50 had been debit from his bank account after someone ordered a Castelli skinsuit using his Wiggle account details.
— Kobi Omenaka (@Kobestarr) June 15, 2020
Wiggle has recommended that people use the website Have I Been Pwned to check whether their email address has been compromised.
To enhance your online security, you can also use the 1Password service, which is integrated with Have I Been Pwned, and which uses “strong, unique passwords for every account” you have to minimise the impact of any data breach to just the account in question.
Simon joined road.cc as news editor in 2009 and is now the site’s community editor, acting as a link between the team producing the content and our readers. A law and languages graduate, published translator and former retail analyst, he has reported on issues as diverse as cycling-related court cases, anti-doping investigations, the latest developments in the bike industry and the sport’s biggest races. Now back in London full-time after 15 years living in Oxford and Cambridge, he loves cycling along the Thames but misses having his former riding buddy, Elodie the miniature schnauzer, in the basket in front of him.