December 2, 2021

Newegg hacked, card information stolen for millions

Popular e-commerce website Newegg is the latest victim of cyber attacking by Magecart, according to Volexity, a cyberthreat monitoring firm. Newegg is one in a string of high profile cyber attacks making use of the card skimming code which recently compromised British Airways, Ticketmaster, and Feedify. Most critically, customer names and complete card details were stolen using exploited code between August 16th and September 18th.

Magecart exploited the Newegg checkout process with JavaScript similar to the code used in their hacking of British Airways. Only 15 lines of code were needed to skim the card data. The code stole customer data from the Billing Information page and transmitted it back to privately-registered domain

Image credit: The Verge

The domain was registered on August 13th, likely after the website was already compromised. Three days later, the attack was executed on The use of a similar domain, which also carried an SSL certificate issued on August 13th, allowed the code to go unnoticed. Critically, JavaScript used in the attack affected customers on both desktop and mobile devices. Magecart continues to follow a pattern of targeting customer information directly through malicious code rather than hacking company databases.

Newegg, a multibillion dollar company with 50 million customers per month, began notifying customers who made purchases during the one-month period via email Wednesday. It also plans to publish an FAQ on its website on Friday.

If you’ve shopped recently at Newegg, you should monitor your bank account for fraudulent activity. Considering that your complete card information is now compromised, it would also be prudent to turn off your card and request a new one from your banking institution. You may not notice unusual charges right away, but it would not be uncommon for your card information to be used in the future, or sold to other malicious parties.

Be the first to comment

Leave a Reply

Your email address will not be published.