Newegg Suffers Huge Data Breach: What to Do

Senior editor, security and privacy
Updated

We nerds here at Tom's Guide love shopping online at Newegg, but if you bought anything at the computer-parts retailer in the past month, you'd better check your credit-card statements.

The company revealed today (Sept. 19) that its online-checkout pages had been infected by data-skimming malware from Aug. 14 until yesterday. The thieves behind it seem to be the same who hit British Airways earlier this month and the U.K. branch of Ticketmaster in July.

It's not quite clear exactly what kind of data was stolen, or how many Newegg customers were affected, but it's best to assume that all details entered into Newegg online-checkout pages — names, street addresses and credit-card numbers, expiration dates and CVC codes (printed on the backs of MasterCard and Visa card, and on the front of American Express cards) — for that time period were compromised.

MORE: What to Do After a Data Breach

"We are conducting extensive research to determine exactly what information may have been acquired or accessed and how many customers may have been impacted," Newegg CEO Danny Lee said in an email sent to the past month's customers and seen by The Verge. "By Friday, we will publish an FAQ that will answer common questions we get."

Information-security firms RiskIQ and Volexity together determined that the NewEgg theft was the work of Magecart, a data-theft group that has also been fingered for the British Airways and Ticketmaster U.K. break-ins.

"It's becoming clear to the industry that these simple yet clever attacks are not only devastating, they're becoming more and more prevalent," wrote RiskIQ in its report. "Newegg is just the latest victim."

"These attacks are not confined to certain geolocations or specific industries," RiskIQ added. "Any organization that processes payments online is a target."

The attackers created a webpage called neweggstats.com, then infiltrated Newegg's web servers and added 15 lines of JavaScript to the legitimate Newegg purchase-checkout page. The script simply grabbed all the data that the customer typed into the page's form fields and sent it to neweggstats.com.

We've reached out to Newegg for comment and will update this page when we receive a reply.