2,600 credit cards stolen from online store -- what you need to know

Michigan State University
(Image credit: Katherine Welles / Shutterstock.com)

Michigan University State has confirmed a data breach affecting 2,600 people who bought things in its online web shop.

The hackers stole a range of credit card and personal details after hacking into the shop.msu.edu website. They then conducted a web-skimming attack, inserting malicious code into the site's own code to capture text that website visitors type into form fields, especially credit card numbers.

Web skimming attack

According to a report by Bleeping Computer, the perpetrators took advantage of a flaw in the Michigan State website to gain access. But the university has disclosed that this flaw has since been fixed. 

“An unauthorized party gained access to Michigan State University’s online store, shop.msu.edu, and placed malicious code to expose shoppers’ credit card numbers between Oct. 19, 2019 and June 26, 2020,” said the university in a statement. "The intrusion was a result of a vulnerability in the website which has since been addressed.”

The school said the hackers accessed the “names, addresses and credit card numbers” of customers, but no Social Security numbers. 

Quick fix

The university explained that its security team “promptly corrected the vulnerability” and that it is “working with law enforcement in the investigation”.

“Our top priority is preventing any further exposure of consumers’ information by sharing resources and tools to help protect them from these cyber criminals," said Michigan State Interim Chief Information Security Officer Daniel Ayala. 

“The security of our IT systems and those who use them are of paramount importance to MSU," Ayala added. "We are deeply sorry and understand the concern of those affected. We are working around the clock to make it right.”


Since discovering and fixing the vulnerability, the university has begun contacting everyone who was impacted by the web-skimming attack. 

Michigan State explained that it is “offering them free credit monitoring and identity protection, and making recommendations to further protect their information from exposure.”

For anyone involved in the breach, the university advised the following steps:

  • Being aware of the possibility of phishing emails.
  • Creating effective passwords.
  • Using two-factor password authentication on devices and accounts whenever possible. 
  • Deleting files and data when you are done using them.

“MSU has invested heavily in information security and will continue to do so. But investment alone is not enough,” said Ayala. 

“We must also continue to educate our campus employees and our broader community. We are recommitting ourselves to that important work, which is critical to protecting all those who use our systems in today’s highly technological society.”

  • More: Stay anonymous without the spend with a cheap VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!