Online retailer Newegg on Wednesday confirmed that credit card information from customers had been stolen using a sophisticated attack.
“Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site,” the company said in a statement on Twitter. “We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted. Please check your email.”
In the Newegg attack, the injected code was designed to avoid detection by blending into the surrounding infrastructure. Although Newegg has not confirmed it, it’s possible customers who made purchases from the company on both computers and mobile could have been hit.
Security researchers at Volexity said they believe the injection occurred on August 16, 2018, when the domain for Neweggstats.com was registered. Customers from that date in August to September are likely impacted. Both Volexity and RiskIQ jointly discovered the attack and alerted Newegg this week which removed the code on Tuesday.
Newegg said it will release more information this week, and contact customers whose data may have been stolen.