Bodybuilding.com, the internet's biggest online store and online forum for fitness and bodybuilding enthusiasts, has disclosed last week a security breach that impacted its IT systems.
Customer data might have been exposed, the company said in a short message posted on its website. Its staff isn't sure if the attacker accessed customer data, though.
A third-party security firm was hired to help with the investigation, but forensics experts couldn't confirm that customer data was stolen from Bodybuilding.com's servers, either.
Bodybuilding.com said investigators traced the unauthorized activity to a phishing email its staff received in July 2018. At least one employee appears to have fallen for this email.
Hackers used the data they obtained from this phishing email to access the company's network in February 2019. Bodybuilding.com didn't say when it detected the intrusion, but it said it finished its investigation on April 12. It went public with the security breach a week later, on April 19.
We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed.
Despite not knowing if hackers accessed customer data, Bodybuilding.com decided to do the right thing and notify all of its customers of the security incident, as a precaution.
It also reset all users' passwords as well, to prevent any abuse in case attackers did manage to steal any data.
According to the company, if hackers did manage to access and steal customer data, possibly exposed details will include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in BodySpace profiles.
Social Security numbers and payment card details were not exposed, the company said, as the site never collected this information in the first place.
Besides notifying users of the breach, Bodybuilding.com is also alerting users that scammers might also try to imitate its data breach disclosure notifications for online fraud or phishing attacks.
Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to insert the Bodybuilding.com FAQs URL into your browser and does not request your personal data.Source