Support road.cc

Like this site? Help us to make it better.

Wiggle investigating suspected cyber attack on customers' accounts

Some customers have highlighted money being taken for goods they never ordered to be delivered to addresses they don't know...

Wiggle has promised to get back to customers directly regarding an alleged cyber attack on its website.

The online multisport retail giant appears to have fallen victim to a cyber security breach, with a number of its customers reporting that they have received order confirmations for items they didn't purchase, and the delivery addresses were to locations they didn't recognise.

After alerts were first raised on 12 June and there were reportedly no responses from Wiggle on the matter, one customer got in touch with road.cc directly today to claim that a £30 order was made on his account.

In the tweet below, another claimed that an order for a £237.50 Castelli skinsuit was made without his knowledge.

The tweet below is the first we have seen where Wiggle confirmed it is taking action, saying its account security team is investigating and customers affected will be contacted directly.

A number of people who say they have been targeted had complained on Wiggle's social media pages, but in most cases the retailer appears to have just issued brief responses with no further acknowledgement regarding the issue; road.cc has asked Wiggle for a statement.

Simon joined road.cc as news editor in 2009 and is now the site’s community editor, acting as a link between the team producing the content and our readers. A law and languages graduate, published translator and former retail analyst, he has reported on issues as diverse as cycling-related court cases, anti-doping investigations, the latest developments in the bike industry and the sport’s biggest races. Now back in London full-time after 15 years living in Oxford and Cambridge, he loves cycling along the Thames but misses having his former riding buddy, Elodie the miniature schnauzer, in the basket in front of him.

Add new comment

33 comments

Avatar
Pawcraft | 4 years ago
0 likes

I don't know if it's a coincidence but I had 3 suspicious transactions on my credit card saved on wiggle by Uber in India (never been to india) and had to cancel the card.

Avatar
srchar | 4 years ago
1 like

This sounds like a simple case of credential stuffing.

Wiggle can't do anything about this, short of implementing two-factor authentication.

This is the fault of people who re-use passwords.

Get a password manager and use it!

Avatar
hawkinspeter replied to srchar | 4 years ago
1 like

I'm curious about this as when I went to change my password, I saw that my existing password was an extremely weak one that I know has been compromised in the past (through other websites - might have been XKCD). However, my Wiggle account hasn't been abused (by anyone else) so that seems to me like there's some other route that the crims have used to get credentials.

I can also confirm that Wiggle store card details and I can happily order without putting in the CVV. As I understand it, the credit card companies have found it cheaper to push most of the security details onto the retailers. If a retailer accepts orders and ships out expensive parts to a different country, then it'll be the retailer that's left with the bill as the credit card company will just reverse the charge.

Avatar
srchar replied to hawkinspeter | 4 years ago
1 like

hawkinspeter wrote:

my existing password was an extremely weak one that I know has been compromised in the past (through other websites - might have been XKCD)

https://haveibeenpwned.com might be able to tell you where.

Avatar
hawkinspeter replied to srchar | 4 years ago
0 likes

Actually, it was Kickstarter (changed password since) and MyFitnessPal (which I haven't used in years).

Avatar
Simon E replied to srchar | 4 years ago
1 like

srchar wrote:

This sounds like a simple case of credential stuffing.

Wiggle can't do anything about this, short of implementing two-factor authorisation.

This is the fault of people who re-use passwords.

Get a password manager and use it!

Yes, it appears to be that emails and passwords lifted from elsewhere have been used. Common password across multiple sites are an absolute no-no (and far too many people use really dumb passwords).

A password manager isn't 100% safe but it's far, far better than reusing a password, even a complex one.

But not retaining your card data is just as vital.

Avatar
jimt | 4 years ago
1 like

As much as Wiggle have managed to turn this into a complete PR nightmare, People need to understand the importance of their personal data. It would seem at first glance, people are having their accounts accessed using stolen credentials (not stolen from wiggle) freely available on the web.  If this is the case wiggle have not been hacked, you have.
Wiggle is in an unenviable position that they need to be sure of what they say and not give wrong information. I suspect they also lack the IT resources to handle this level of investigation internally.

As others have advised please use a password manager, unique passwords and 2 factor auth wherever possable. Too many people only think about this after an incident.

The wider issue is that not enough ecommerce companies are helping thier customers with options for good practice like 2FA or openID. Should any online retailer deserver you custom if they do not help you stay secure?

Avatar
omid | 4 years ago
3 likes

I'm the one who's been kicking up a stink about this on Twitter. Wiggle's response has been absolutely farcical. This has been going on for AT LEAST 10 days and is still happening TODAY. Wiggle still haven't put out a public message advising people to change their account details, and are still giving canned responses (at best) to enquiries on Twitter. 

Seriously, if you've not been affected and can still log in - change your password, unlink your card. Wiggle allows transactions to be placed without any extra authorisation and they are continually trying to absolve themselves of blame by telling people it's their own fault. 

Should you use different passwords on different websites? Yes. Should Wiggle store CVVs and allow critical account details to be updated without confirmation from the existing email address on file? Absolutely not. 

Avatar
Sriracha replied to omid | 4 years ago
0 likes

Merchants are not allowed to store CVVs. I'd be very sutprised if Wiggle were doing so.

Avatar
omid replied to Sriracha | 4 years ago
1 like

Ok then: Should Wiggle store CVVs and allow critical account details to be updated without confirmation from the existing email address on file? Absolutely not. 

But somehow, orders are being placed without any secondary authorisation. There is no 3d-secure or 2FA.

Regardless the technicalities are kind of secondary at this point to the fact they still haven't informed everyone with an account that they need to change their password. 

Avatar
OnYerBike replied to Sriracha | 4 years ago
0 likes

I've just deleted my card details from Wiggle so I can't test this anymore, but I'm pretty sure last time I ordered from Wiggle (using saved card details) I was able to complete the order without entering the CVV - indeed as far as I can remember the only security was logging on to my account (thankfully using a unique password from LastPass).

Isn't the point of the CVV that you have to enter it each time you make a purchase, thereby demonstrating that you physically have the card and avoiding this very situation? 

Avatar
Sriracha replied to OnYerBike | 4 years ago
0 likes

That might seem sensible but I don't think that's how it works. Once a merchant has verified your card once using CVV I don't think they have to repeat for successive transactions. But if the card number was stolen somehow and used elsewhere that should be foiled by lack of CVV.
I'm surprised merchants don't validate new/additional delivery addresses different than the cardholder address.

Avatar
kamoshika replied to OnYerBike | 4 years ago
2 likes

Other retailers (including Amazon I think) will store card details and not require CVV to be re-entered when you're having a delivery sent to an address you've used previously. Request delivery to a new address and you have to re-enter the CVV. Seems like a sensible approch. I've got a feeling that changing email address also requires you to re-enter CVV next time you make a purchase.

Nothing more than a hunch, and don't have anything to back it up, but it's possible that someone has identified that as a weakness with the Wiggle ordering process and, as others have suggested, used details gained from another source (ie not from hacking Wiggle) to exploit it.

Avatar
srchar replied to OnYerBike | 4 years ago
1 like

OnYerBike wrote:

Isn't the point of the CVV that you have to enter it each time you make a purchase

No. CVV prevents theft of card details using card skimmers - it's not stored in the magstripe. There's no requirement for a merchant to ask for CVV at all and card providers do not require it in order to authorise a transaction, hence why the likes of Wiggle can store your card details and allow you to complete purchases without re-entering your CVV.

Wiggle have made the decision that asking for CVV on first use is sufficient to protect them and their customers against fraud. Or they've calculated that the resulting fraud costs less than the lost sales resulting from forgetful people having to go and find their physical card every time they want to make an impulse purchase...

Don't forget that no website forces you to store your card details.

Avatar
OnYerBike replied to srchar | 4 years ago
0 likes

I'm not an expert, but my understanding is that, while card skimming is one way to obtain someone's card details, it's not the only way. And CVV should provide the same additional protection whether your details were compromised because someone skimmed your card or because someone logged in to your account (or because your card details were obtained in another way).

While no website forces you to store your card details for future purchases, all online shops will store your card details somewhere in their records - and there have been numerous occassions when such websites have been breached and card numbers have been obtained by hackers.

And yes, it does appear that retailers aren't required to request your CVV each time you make a purchase. Personally, I would think that requiring that small additional step would noticeably increase security with minimal loss of revenue.

Avatar
dodgy | 4 years ago
3 likes

I remain open to the possibility that another site has been hacked and credentials obtained which were then used on Wiggle, because people still have this habit of using the same password on multiple sites.

I'm not saying this happened here, but it won't be the first, or last time it has elsewhere.

Avatar
Sriracha replied to dodgy | 4 years ago
0 likes

...because e-tailers still have this habit of using the same password system they 100% know will lead to such behaviour amongst a good proportion of paying customers.

Avatar
dodgy replied to Sriracha | 4 years ago
2 likes

And yet people still use the same passwords. Sorry, what's your point here?

Avatar
OnYerBike replied to dodgy | 4 years ago
1 like

I think the point is that by making the shopping process as easy as possible, e-tailers get more custom. But the cost of this is lower security. 

By not requiring strong or unique passwords, and by not requiring any additional verification - even re-entering the CVV - shops make it very easy to click through and complete an order but leave themselves open to this sort of attack.

Avatar
kamoshika replied to OnYerBike | 4 years ago
0 likes

Online stores make it as easy as possible for people to place orders, because if the order process is difficult (like having to re-enter card details, 2FA etc) then a lot of people will go somewhere else. People are lazy and like things to be as easy as possible, until something like this happens. And then it's the retailers fault for not doing more to protect them.

Avatar
Pedal those squares | 4 years ago
1 like

Rule 1.   Never store a credit card on any online account

Rule 2.  Use a different password on every site (get a password manager or use google to manage the passwords)

For now, log on change your passowrd and remove all card details......then we wait to see what Wiggle say!

Avatar
handlebarcam | 4 years ago
1 like

They need to make a public statement and fast. The one thing worse than fucking your security up is fucking it up and then trying to cover it up. I was going to make a three-figure purchase from them. I won't be now, not until I see evidence it was either isolated incidents or they've made changes.

Avatar
UrbanBushman | 4 years ago
2 likes

I had my alt account compromised on the 29th of may. I got a email stating my password had been changed quickly followed by a one time code for my credit card with a purchase for £700. Luckily fraud protection kicked in. Wiggle insisted they had not had a breach. Not so sure now.

Avatar
Sriracha | 4 years ago
2 likes

I seem to remember last millennium sometime credit card (as opposed to cheque) mailorders and telephone orders could only be sent to the cardholder address. Always seemed a very sensible safeguard to me. I get the convenience of being able to have stuff shipped just anywhwere, but maybe there needs to be some address validation before stuff goes in a different direction to the bill.

Avatar
Organon | 4 years ago
3 likes

I need a Zipp 404 front wheel clincher, just send it to me and charge it to BehindTheBikesheds.

Avatar
Simon E | 4 years ago
1 like

EVERYONE with a wiggle account should change their password IMMEDIATELY!

I just tried logging in, the first time for 4 or 5 years (I don't use them any more) and it said that my account "has been locked due to repeated login attempt failures". I changed my password, of course.

And don't let them save your card details!

Avatar
hawkinspeter replied to Simon E | 4 years ago
3 likes

Just changed my password now, though I'm wondering if I should remove my card details. Maybe the crims will spend less than I do.

Avatar
Simon E replied to hawkinspeter | 4 years ago
3 likes

hawkinspeter wrote:

Just changed my password now, though I'm wondering if I should remove my card details.

Yes.

Never allow a site to store your card details if you have the option.

Avatar
Awavey replied to Simon E | 4 years ago
1 like

Tbf I hadnt realised with my account I actually had,so id add & dont assume you havent stored card details , but fortunately only my own ridiculous spending sprees shows up

Avatar
Compact Corned Beef | 4 years ago
1 like

Are we still under the aegis of the GDPR regs now? A report to the ICO should have been submitted by now if so.

Pages

Latest Comments