- News
- Reviews
- Bikes
- Accessories
- Accessories - misc
- Computer mounts
- Bags
- Bar ends
- Bike bags & cases
- Bottle cages
- Bottles
- Cameras
- Car racks
- Child seats
- Computers
- Glasses
- GPS units
- Helmets
- Lights - front
- Lights - rear
- Lights - sets
- Locks
- Mirrors
- Mudguards
- Racks
- Pumps & CO2 inflators
- Puncture kits
- Reflectives
- Smart watches
- Stands and racks
- Trailers
- Clothing
- Components
- Bar tape & grips
- Bottom brackets
- Brake & gear cables
- Brake & STI levers
- Brake pads & spares
- Brakes
- Cassettes & freewheels
- Chains
- Chainsets & chainrings
- Derailleurs - front
- Derailleurs - rear
- Forks
- Gear levers & shifters
- Groupsets
- Handlebars & extensions
- Headsets
- Hubs
- Inner tubes
- Pedals
- Quick releases & skewers
- Saddles
- Seatposts
- Stems
- Wheels
- Tyres
- Health, fitness and nutrition
- Tools and workshop
- Miscellaneous
- Buyers Guides
- Features
- Forum
- Recommends
- Podcast
news
wiggle logo.PNGWiggle says customers’ login details were obtained externally by hackers to access accounts
Wiggle says that login details of customers that hackers used to gain access to accounts and order goods were obtained from outside its own systems. The online retailer says it will refund people who have been affected, and has recommended that customers change their passwords.
As we reported yesterday, a number of the company’s customers a number of its customers have reported in recent days that they have received confirmation of orders for items they hadn’t bought, and did not recognise the delivery addresses the goods were to be sent to.
> Wiggle investigating suspected cyber attack on customers' accounts
In statement issued today, the company’s CEO, Ross Clemmow, said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.
“We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.
“To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.
“We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”
Concerned customers began raising the alarm on social media last week, with more cases being flagged up to the retailer over the weekend.
@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I cant access your website.
— hayley badger (@hayleybadger) June 14, 2020
Yesterday, a road.cc reader got in touch with us to say that a £30 order had been made on his account without his knowledge, while another customer tweeted that £237.50 had been debit from his bank account after someone ordered a Castelli skinsuit using his Wiggle account details.
@Wiggle_Sport someone broke into my account and ordered this. I told c ustomer services as it happened but no one has come back to me. pic.twitter.com/ydhe8tDUiU
— Kobi Omenaka (@Kobestarr) June 15, 2020
Wiggle has recommended that people use the website Have I Been Pwned to check whether their email address has been compromised.
To enhance your online security, you can also use the 1Password service, which is integrated with Have I Been Pwned, and which uses “strong, unique passwords for every account” you have to minimise the impact of any data breach to just the account in question.
Simon joined road.cc as news editor in 2009 and is now the site’s community editor, acting as a link between the team producing the content and our readers. A law and languages graduate, published translator and former retail analyst, he has reported on issues as diverse as cycling-related court cases, anti-doping investigations, the latest developments in the bike industry and the sport’s biggest races. Now back in London full-time after 15 years living in Oxford and Cambridge, he loves cycling along the Thames but misses having his former riding buddy, Elodie the miniature schnauzer, in the basket in front of him.
Latest Comments
- Stephankernow 7 sec ago
If the law says no cars, its no cars, If it says no cycling, Its no cycling. Do as I do dismount and walk or re-route....
- Carmic0 55 min 24 sec ago
Nice to see the Passoni with external cabling.
- Rendel Harris 1 hour 15 min ago
It was in 2005, I'm not sure what relevance that has, tragic as it was; the killer was a paranoid schizophrenic who had just walked out of a...
- mattw 4 hours 58 min ago
The cycle path issue illustrates a really difficult problem....
- mattw 5 hours 42 min ago
It's owned by the same company. It is hyper-junk.
- mark1a 5 hours 36 min ago
Yes, I agree, and thanks for replying, what I was trying to say (badly) was that Look wasn't really a bike company back then. ...
- George Hill 9 hours 39 min ago
Foxcote Hill in Ilmington - it's steep, it's not too long, and once you get to the top you can see the for miles across the Cotswolds....
- stonojnr 9 hours 47 min ago
well at least they didnt go for British Racing Green as well ,as then theyd have two trademark licensing cases up against them....
- Laz 10 hours 46 min ago
I think the best solution would be to automatically charge every driver who hits a cyclist on the road with attempted murder, and plain murder in...
- David9694 11 hours 59 min ago
Car crashes into front of home in Briggs Mead, Wymondham...
Add new comment
39 comments
As a regular user of Wiggle, the somewhat indifferent explanation that it was from 'outside their own system' doesn't create a very good impression. I can well imagine what someone like Steve Gibson would have to say about Wiggle as a company if this appeared on Security Now - you should have emailed all of your customers telling them to reset their passwords and I should have had that email by now..... you send me umpteen emails a week telling me about every special offer under the sun, but apparantly account security is of lower priority.
Oh - and you own Chain Reaction and also Bike24 and we should be told if they also are involved and could any of those account details be compromised: in fact maybe its best to assume that you screwed up and actually someone gained access to everybodys account details for every account with any of your divisions and thats happened far to many times in the past from companys who announced something that sounds as lame as your statement sounds to me Wiggle.
Wiggle says customers’ login details were obtained externally by hackers to access accounts
in other news, large predatory mammal inhabiting forested area "believed to deficate"
What happend to the one time codes we were all supposed to be using? Wasn't that due to be in play by now ?
If you did have to get a code in an SMS or other to use with the purchase then that would reduce the fraud by some margin.
This happened to me on 19/5 for a gift voucher. I reported it and 8 days later they came back to say I was a one off and no other occurrences had happened. They should have acted then and not now, a month later. By changing the email and passwords of the account me they have not only ordered goods but have had week long access to peoples accounts, including their home addresses and order histories to see where their bikes are kept. Shocking from Wiggle.
How does this work ? So people can order skinsuits and stuff and send them to the criminals address ? Would that address not be then known to the police ?
Obviously we'd rather this didnt happen but I'm not sure I see the criminal getting away with it ? Also Castelli sizing is all over the place so it prob won't fit them.
One common trick is to have the orders mailed to addresses in blocks of flats, etc. with a common mail delivery area. Then they just loiter around the area and collect the parcels before the real occupants of the addresses turn up to check their mail.
Another is to rent space somewhere using fake details, place a large number of orders all in one go to be delivered to that address, then disappear after a few days before the police turn up (and without actually paying the rent).
Of course it doesn't really matter to them whether they actually take delivery of all the packages (if some are delayed, or the real address owner gets to them first) since they're not paying for them in the first place.
Hmm if this is true Wiggle should explain who the external provider is, and why there appears to be a significant overlap with Wiggle customers. Otherwise by Occam's razor the breach is theirs, not someone elses. I'd report them to ICO to be on the safe side.
You'll notice that none of the affected individuals have stated they *do not* reuse passwords, quite the opposite, they're defending the practice.
Oh, who is defending the practice of using shared passwords?
You, in a "well people will just keep doing it" sort of way.
I don't.
I think you misunderstand me, perhaps deliberately. I am looking at this from the perspective of the Wiggle. Implementing a system for use by humans, known to be wide open to common human failure, is poor practice. They could know in advance what percentage of customers will come a cropper using it, it's a forgone conclusion. Presumably, as has been mentioned, they just figure it yields better business returns that way, even accounting for bailing them out.
Has road.cc checked to see if there's been any suspicious activity on their servers?
Quite possible that the breach is elsewhere. On this forum we would hear about users with shared passwords who buy bike parts. Maybe there is a forum out there where users are complaining their favourite hi-fi online store is hacked, and somewhere else that someone is buying expensive designer clothes. We just happen to be focussed on the wiggle users.
Easyjet was hacked a while ago, maybe those are the source of the stolen passwords.
Meanwhile I've changed mine and deleted my card (I use PayPal anyway)
I think you have the right idea.
Here's what I think happened.
1. People complain about suspicious orders to Wiggle
2. Wiggle InfoSec dept (probably very small and understaffed) do some triage and can find no evidence of a hack, yet people continue complaining
3. Out of their depth, they call an external Cyber Forensics team in (Mandiant or someone of that ilk)
4. The first thing Mandiant will do is ask for the 'hacked' userid/email addresses so they can compare them against compromised accounts (Mandiant and other companies are well connected and will be privy to compromise data that me and you don't get to see). They do this first because if they get a match, it saves a whole heap of investigative work which might take months to finish.
5. Mandiant tell Wiggle there's a match
Usually, Mandiant (or whatever company) won't tell them the source of the compromise, so Wiggle probably won't even know where it came from.
Wiggle's investigation lasted about 48 hours, which is about right when they get a match on a set of credentials elsewhere. Don't expect Wiggle to say "yeah, we got it from easyjet/linkedin/whatever" because they probably won't have been told.
If there was a security vulnerability on Wiggle's site, you can bet there won't have been just the odd victim, it would have been a fireball and you'd read about it everywhere, they'd also close the site.
Edit to add: We must also not exclude the possibility of a key logger/virus on the 'victims' machine.
Last post on this!
I agree its entirely possible, but thats not relevant.
If I have evidence they have provided access to my PII without my explicit consent they are liable under GDPR unless they can prove otherwise. If I have reasonable evidence of a Wiggle PII leak, I'm not required to go around trying to prove it came from somewhere else - thats Wiggles job, and its the job of the ICO to hold them to account for it. If Wiggle can show that all the breaches were external to the satisfaction of the ICO all well and good and fair play to them. Just Wiggle sayin' its so isnt good enough.
On a lighter note - what if the "external provider" is CRC? I'd lol.
Well this could explain why I struggled to put an order in on Monday. The site kept bombing out at the point where it varifies my credit card. Contacted customer services, they made no comment about being hacked or accounts being compromised and asked me to use a different web browser. I had work to do, so I just left the order and put it through on Tuesday and all went through okay.
I don't know if it's a coincidence but I had 3 suspicious transactions on my credit card saved on wiggle by Uber in India (never been to india) and had to cancel the card.
Sounds like reused passwords. How many times do people need to be told not to do this?
How many times do retailers need to be told not to use simple username/password systems?
What do you expect them to do? Implement 2FA and Conditional Access? When people can't even be trusted not to re-use passwords because it's not convenient for them?
I expect them to stop pissing in the wind. Two thirds of people reuse passwords, according to:
https://www.infosecurity-magazine.com/news/google-survey-finds-two-users/
Telling them they should not is futile. Admonishing them like you were their witless parent is even less useful.
People will reuse passwords, that's just a fact. But not implementing 2FA or 3d-secure, and not asking for confirmation of an email change on a service that allows you to make purchases with saved cards, is a explicit decision Wiggle have made somewhere along the line.
Indeed. And orders placed from novel devices on novel IP addresses simultaneously requesting novel delivery addresses - all secured by a username/password system which everybody knows fosters poor security hygiene, and no one knew it could happen. Sure, blame your customers, sounds like a business plan.
It's all about stopping buyers from ending transactions prior to checkout. Amazon do it too - saved cards, no CVV requirement, able to send to any address. They're willing to take the hit because making checkout harder would impact sales much more than the occasional fraudulent transaction.
If you block novel IP addresses, you also prevent people shopping on mobile phones connected to a mobile network and laptops in cafes/on trains etc.
When a driver close-passes a rider on a section of narrow road, do you blame the council for not widening it?
I think it was the 3 way novel combo that was being flagged as a security issue for further checks.
Sriracha said nothing about blocking. You just put additional security confirmations in place.
Actually, yes - you nailed it. Good road design accounts for human failure. Where a poor layout leads to repeated accidents you can point your finger at drivers not driving appropriate to the conditions, and keep enlarging the cemetry, or you can fix the road layout.
We'd better rescind every driving penalty ever issued and sue the councils then.
Abandon personal responsiblity all ye who drive here.
Responsibility isn't all or nothing - it can be shared around.
In this analogy, the close-passing driver would be most akin to the fraudsters / hackers, the council / planners to the website developers and the banks, and the customers to the people cycling.
Blaming the customers is like critcising people for riding too close to the kerb and not further out to discourage the passes. There might be some truth to it, but they're just responding as humans do, and it's a distraction from addressing the real problem.
Pages