How did the attackers get the JS onto the cart page? That's the interesting part to me that the article leaves out. They managed to break into a PCI-compliant website that presumably has significant defenses and auditing in place.
Lovely. I made a purchase recently with NewEgg but at least it was with a previously stored credit card so hopefully I'm not impacted by this.<p>However, I am disappointed that NewEgg hasn't made any sort of official announcement yet.
This breach has reminded me of this pretty great article: <a href="https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" rel="nofollow">https://hackernoon.com/im-harvesting-credit-card-numbers-and...</a>
They are just now (around 11:10 CDT 9/19) sending out notification emails to customers. At the moment they don't even seem to know what accounts were affected.
I am surprised that there is no automated alert to tell the webmaster that his code has changed on his website. Especially on the payments page!<p>With 50,000,000 users a month, surely they have a whole team working on checkout, all the time?
For a website with so many visitors and transactions, I’m surprised this API call never threw enough errors for them to see in logging. I will admit that JS logging can be messy because of all the different environments but after some time I would have hoped this would have been caught.
I had a conversation two days ago with the CTO of a very large company you've definitely heard of who said "we don't need to worry about our website security, we have a firewall and SSL"<p>I think these types of attacks are vastly underreported, if anything.
Damn. I made a purchase in that time period. I rarely buy anything from them, but it had to happen in that interval!<p>I paid with Paypal. I assume I'm not affected?