Wiggle Data Breach – Accounts ‘Fraudulently Accessed’ – Updated Story

by 14

Wiggle customers are reporting purchases made using their card details, amid what appears to be a data breach.

Updated 20:30 16th June

We’ve received the following statement from Wiggle:

Ross Clemmow, CEO at Wiggle: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made. We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded. To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts. We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”

We’ve been advised that Wiggle will require all customers to re-enter their payment details next time they log in, in order to help prevent further fraudulent purchases being made. It seems that that problem occurs where users have the same email and password associated with more than one site. While it’s not Wiggle’s systems that have been hacked, we don’t know where the source data has come from that has allowed fraudsters to access these Wiggle accounts.

You’re advised to change your password – particularly if you used it on multiple accounts. Since Wiggle has now removed payment details from accounts, changing your password should protect your account in future. Also, check your Wiggle transactions and if you see anything that wasn’t you, get in touch with Customer Services, who are issuing refunds as a priority.

Of course, none of us would ever do anything as conveniently stupid as use the same password in multiple places, now, would we…?

Original Article Below

Customers used social media to report instances of products that they had not ordered being bought on their cards:

A statement on Wiggle’s website (and you’d probably only find it if you were really looking for it) states:

Update on recent incidents

We have investigated isolated incidents where accounts have been fraudulently accessed.

We understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.

We have taken steps to identify these compromised accounts and we are individually contacting these customers.

All impacted customers will be refunded.

We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts.

We recommend our customers change their password if they have any concerns. We would like to assure our customers we are prioritising all enquiries related to this issue.

We would like to remind customers that data security is of the utmost importance to us.

Wiggle data breach hack fraudulent

The wording ‘details have been acquired outside of Wiggle’s systems’ suggests that possibly the data breach has come through a third party rather than their internal systems. However, social media responses suggest they’re still figuring out exactly what has happened and the extent of the breach.

Until further information is released, it might be wise to change your account details on Wiggle, and keep a close eye on any transactions on cards you’ve used there. So far as we can see, the reports are limited to Wiggle accounts only, with no reports of similar issues with sibling site Chain Reaction.

Let’s keep in touch

By ticking the box below we can send you our weekly story digests featuring editorials from Chipps and even the chance to be one of Charlie’s merch winners.

Sign in to your account to manage your communication preferences.

Comments (14)

    It might be wise not to use the same password for multiple websites

    At least we know the scammers will by now be raging about being sent the wrong stuff, late, in inadequate packaging.

    If the scammers paid for next day delivery, they’ll be annoyed when they get their items in about 3-4 days, assuming Hermes don’t lose their parcel, of course.

    Sympathies to any people affected. Saving card details is convenient until your account is breached. And using the same password on multiple sites is asking for trouble.

    I presume an email will be sent to you as listed in Your Account or would the scammers change that too?
    Just checked my account, no recent orders & changed my password to ********

    Of course, there’s an easy way to avoid this happening to you…

    SUPPORT YOUR LOCAL BIKE SHOP!!!

    At least they fessed up to the propblem this time.
    Not like years ago when quite a few of my mates and I had our card details robbed and used elsewhere… the common denominator being Wiggle at the time. I got 2 pairs of shorts… some scumbag in London got 2 Dell laptops ordered for free )

    sounds like a cycling related website has been hacked with people using same passwords, then heading straight to cycling online shops. Only Wiggle?
    – Don’t save you card details on a website
    – Always use two factor authentication with payment sites (like paypal or amazon) – A code needed from your phone
    – Use Lastpass or similar to help you use multiple passwords

    Personally I don’t understand it being an issue with peoples passwords, surely the main issue here is that although accounts have been accessed those people affected had obviously saved credit / debit card details to that account, if they hadn’t then there would be nothing to talk about as people can’t order goods from someone’s account without first having their card details, simply don’t save card details to any account.

    That really is not the main issue. The main issue is that Wiggle has been cracked AGAIN.

    At least this time they have admitted it rather than pretending it hasn’t happened

    Nope, they’ve not admitted being breached; they are suggesting passwords were acquired from other systems……

    @boomerlives did you actually read the statement. Nothing in that says they have been cracked. The site is not cracked if you use credentials obtained from elsewhere. The number of idiots that use one password to rule all sites means the source data could have come from any web site being compromised.

    @gavalar Resuing passwords for multiple sites is page 1 line 1 of things not to do. You might as well set it to such secure epics as ‘password’ or ‘yourDOB’. Allowing a site to save a reference to your card (a note here sites do not store your actual card details. They store a token provided by the card processor that allows future transactions against a card) is not always the best idea but is not really the issue. As with most security strength in depth is best. Don’t reuse passwords and don’t save card details for future use (Chrome can do this for you with a much higher level of security if you really want the convieniance).

    @nixie thanks for the insight, I personally never use Wiggle or CRC as I find there are better retail platforms offering as competitive if not more competitive pricing.

    nixie – exactly the sort of fluff and bluster they came out with last time.

    But it’s always them in the mix, despite Wiggle not being culpable at all, oh no.

Leave Reply