There are times, that the bad effects of a phishing attack are not immediately felt. The phishers usually run many parallel campaigns all at the same time, and due to volume may take a while for them to “schedule” a “follow-up” attack against a target after a successful phishing expedition. This what happened when bodybuilding.com, a vendor for fitness equipment and forum for bodybuilding people, experienced a phishing attack last July 2018 and discovered that a security breach followed last Feb 2019.
Bodybuilding.com issued a press release, providing initial details of the situation and what the company is currently doing to address the issue. Their investigation only finished last April 12, 2019, but it requires a follow-up probe, given that the company is not yet sure if certain personally identifiable information was lost.
“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. We are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them,” explained Bodybuilding.com.
The company made an assurance that they are with full cooperation and coordination with law enforcement agencies. Bodybuilding.com also signed-up the participation of security researchers to find more vulnerabilities in their system and address them immediately. There is no indication that financial information such as credit/debit cards was included in the data breach. However, the company confirmed that the following information about its customers could include the following:
- Email address
- Billing/Personal Address
- Phone Number
- Order History
“Once we became aware of the incident, we quickly took steps to determine the nature and scope of the issue. We are working with a leading data security firm to assist in our investigation. We have also notified and are coordinating with law enforcement authorities. Emails were sent to all current and former users and customers regarding this issue. Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data,” added Bodybuilding.com.
A strong recommendation for users of bodybuilding.com to change their passwords, unique for the site alone. Unsolicited communications asking for user credential should be ignored, as those are usually phishing attempts.
“We sincerely regret any inconvenience or concern caused by this incident. We are committed to protecting your information and maintaining your trust and confidence. We have established a dedicated call center to answer any questions you may have. You can reach the call center at 1-844-386-9553 between 8:00 AM – 10:00 PM CT, Monday through Friday, or 10:00 AM – 7:00 PM CT, Saturday and Sunday,” concluded Bodybuilding.com.