Green Bay Packers Retail Site Hacked, Data of 8,500 Customers Exposed – Source: securityboulevard.com

As the Green Bay Packers gear up for their first-round NFL playoff game January 12, team executives are having to deal with the fallout of a hack of its online retail store that exposed the data of customers who bought merchandise in late September and through much of October.

The team this week sent out a letter informing customers who may have been affected by the data breach by a hacker who deployed malicious code into the website of the Pro Shop – the Packers’ official site for team merchandise that is operated by a third-party vendor – that some of their information entered while making a purchase “may have been accessed or acquired.”

That information could include names, billing and shipping addresses, email addresses, credit card data, such as the number, type, expiration data, and verification number.

According to a filing by the team with the Maine Attorney General’s Office, 8514 people were affected by data breach.

The team was alerted October 23, 2024, that malicious code had been inserted on the Pro Shop website and “immediately … temporarily disabled all payment and checkout capabilities on the Pro Shop
website and began an investigation,” according to the disclosure letter, signed by Chrysta Jorgensen, director of retail operations for Green Bay Packers Inc., the nonprofit that runs the team’s operations. “We also immediately required the vendor that hosts and manages the Pro Shop website to remove the malicious code from the checkout page, refresh its passwords, and confirm there were no remaining vulnerabilities.”

Outside Help Called In

In addition, outside cybersecurity experts were brought in to help with the investigation and determine what customer data may have been exposed. The investigation concluded on December 20, 2024, that the malicious code likely let the threat actor see or steal some information from customers who had used on of a “limited set” of payment option on the Pro Shop website between September 23 and 24 and October 3 and 24.

People who made purchases from the Pro Shop during those times using a gift card, Pro Shop website account, PayPal, or Amazon Pay were not affected by the malicious code and their information wasn’t exposed, Jorgensen wrote.

Threat Actors Bypassed Protections

According to researchers with Sansec, an e-commerce company headquarter in the Netherlands, the hacker used a JSONP exploitation and the oEmbed feature in YouTube to bypass security features, inject the skimming malware, and steal the data, as first reported by BleepingComputer. The researchers including the information in a report December 31 about tactics bad actors are using to abuse such Google services as Translate and YouTube to get around security measures and launch attacks.

oEmbed is an open format that allows users to embed content from a website – such as videos and images – onto another webpage. It was developed in 2008.

Shobhit Gautam, staff solutions architect at HackerOne, which offers a security platform and hacker program, said organizations using oEmbed that want to avoid similar attacks need to include strong validations mechanisms to ensure data that’s received originated from a legitimate source and doesn’t including malicious code.

“It’s essential for ecommerce sites and other online sellers to carefully vet and implement third-party APIs and features to ensure proper software supply chain hygiene.” Gautam said. “That also includes requiring third-party vendors and plugins to proactively and continuously assess their security postures, which can be done through engagements like pen tests and vulnerability disclosure programs.”

Free Credit Monitoring

The Packers’ Jorgensen wrote that after learning of the malicious code, “we have continued to take a number of steps to enhance our security protocols and controls, technology, and training. We also worked with our vendors that host and manage the Pro Shop website to confirm enhancements to their security protocols.”

The organization also is offering affected customers three years of credit monitoring and identity theft restoration services for free through Experian.