Zagg Inc. is notifying customers of a credit card data breach stemming from an unauthorized individual breaching its e-commerce platform and injecting malicious skimmer code.
Utah-based Zagg manufactures various accessories, such as keyboards, power banks, wireless charging devices, screen protectors, and phone cases. It uses BigCommerce to process credit card transactions.
“We learned that an unknown actor injected into the FreshClick app malicious code that was designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024, and November 7, 2024,” the company stated.
FreshClick app helps store owners create applications for the BigCommerce platform to extend functionality and enhance customer experience.
It is specifically suited for electronic stores like Zagg. While BigCommerce does not own FreshClick, it lists the app as an add-on for the e-commerce platform.
FreshClick lists six add-ons on the BigCommerce app store that perform various functions, including creating B2B quotes, monitoring uptime, adding product downloads, and CRM and Customer service.
Zagg credit card data breach leaks payment card information
BigCommerce insists that its systems were not compromised and confirmed that the credit card data breach stemmed from the FreshClick app, which has since been removed from customers’ stores.
The credit card data breach that occurred between October 26 and November 7, 2024, leaked zagg.com customers’ payment card data alongside their names and addresses.
Zagg responded by implementing additional security measures, launching an investigation to determine the scope of the incident, alerting law enforcement and regulatory authorities, and notifying customers.
“We promptly took steps to secure ZAGG.com and initiated an investigation to determine what happened and identify what information was affected,” the company stated.
Additionally, it provided 12 months of complimentary credit monitoring via Experian IdentityWorks and advised impacted customers to review their financial statements and monitor their credit reports for suspicious activity.
Zagg also established a dedicated phone line to assist customers in navigating the credit card data breach by responding to their concerns and offering advice.
Meanwhile, Zagg has not disclosed the number of individuals impacted by the credit card data breach. There is no word on whether the compromised credit card data has been misused or shared with other threat actors. The identity of the malicious actor behind the Zagg credit card data breach also remains unknown.
Credit card skimming still a big issue
Credit card scraping remains a persistent nightmare for online store operators, given the vast amount of payment details they collect during operations and the use of third-party code.
The lack of visibility and the failure to maintain a software bill of materials contribute significantly to credit card skimming attacks, including Magecart.
In early 2024, Europol notified 443 online stores in 17 countries of a widespread credit card skimmer infection that stole customers’ credit card data.
In 2023, Arizona-based window blinds retailer SelectBlinds also suffered a credit card data breach from a Magecart attack affecting approximately 206,238 customers. That breach went undetected for eight months, highlighting the stealth nature of credit card skimming attacks.
“Digital skimming attacks can go undetected for a long time,” warned Europol. “Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet.”
In 2022, Segway’s Online Store also suffered a Magecart attack after hackers embedded malicious code in a favicon.ico image file.
