Wiggle has today confirmed that a number of its customers' accounts had been fraudulently accessed. The Portsmouth, UK based company is the largest UK online cycle retailer and also owns Chain Reaction Cycles and Bike 24.
Wiggle’s direct data hasn’t been hacked or breached. The issue has occurred where customers use the same password across multiple accounts. Fraudsters have been able to obtain passwords from outside of Wiggle’s network and they then scan the internet to find other accounts in which the password works for. At that point they have been able to access the Wiggle account.
As reported by road.cc
, complaints about unusual transactions and data being changed have been dated back to June 12, including the below purchase of a Castelli skinsuit worth £237.50:Cyclist magazine
also reported on a customer who had a £75 purchase on his account that was due to be shipped to Russia. The customer was later unable to access his Wiggle account after his password was changed.
Wiggle CEO Ross Clemmow today confirmed that a breach had taken place and issued the following statement:Cycling Industry News
is reporting that Wiggle customers will now be required to re-enter their card details on future transactions. It is recommended that Wiggle customers change their passwords immediately, especially if they use the same password across multiple websites.Article updated for clarity