SelectBlinds says 200,000 customers impacted after hackers embed malware on site

More than 200,000 who shopped for blinds or window dressing this year had their credit card information and other data stolen after hackers placed malware on a major retailer’s website.

In breach notification documents filed this week in California and Maine, SelectBlinds said employees discovered the malware on September 28 and realized the malware had been on the company website since at least January 7.

“An unauthorized third party embedded malware on the SelectBlinds website that allowed data scraping on logins on the check-out page,” the company said. “Through our investigation, we learned that your www.selectblinds.com username and password was affected if you logged in to the check-out page only on the SelectBlinds website while making or considering a purchase.”

In addition to login information, the company learned that hackers likely obtained names, emails, shipping and billing addresses, phone numbers and payment card numbers alongside expiration dates and security/CVV codes. 

User accounts have been locked in an effort to force people to change their passwords and SelectBlinds said it has removed the malware. 

The online retailer warned that anyone who reused the same login information on other sites should immediately change their passwords.

Hackers have long embedded malware known as e-skimmers into websites where people purchase things, siphoning millions of credit card numbers and more.

In most attacks, hackers compromise vulnerable websites by injecting malicious code, often JavaScript, into checkout pages or other parts of the site where payment information is entered. 

This code is designed to capture sensitive data such as credit card numbers, CVV codes and personal information entered by users during the checkout process. That information is then often packaged and sold to “carding” operations that use it for fraud.

Recorded Future said in a report last month that hackers posted 15 million card records for sale on dark web carding shops. The Record is an editorially independent unit of Recorded Future.

In April, Russian officials took the rare step of publicly charging six people suspected of stealing the details of 160,000 credit cards as well as payment information from foreign online stores.

Europol joined law enforcement agencies from 17 countries in warning 443 online sellers last year that the payment card data of their customers had been compromised.