The world-renowned fitness platform – Bodybuilding.com has suffered a data breach in which personal data of registered users has been accessed. The breach was identified in February 2019 and after conducting an investigation it was revealed that it was a result of a phishing attack carried out in July 2018.
Although the exact number of victims is unclear, Bodybuilding.com is contacting current and former users and customers about the incident urging them to reset their password. Furthermore, the company will be resetting customers’ passwords on their next log-in.
As far as the stolen data is concerned, Bodybuilding.com claims to have no evidence whether personal data was accessed or misused used by hackers.
However, what “might have been accessed in this incident” according to the company, could include usernames, passwords, names, email addresses, phone numbers, date of birth, order history, communication between customers and the site’s staff, information on BodySpace profile (which is public by default), billing and shipping addresses.
According to a security advisory issued by Bodybuilding.com, no credit or debit card data was accessed during the breach as other than the last four digits of payment card number Bodybuilding.com does not store any financial information on its server.
Moreover, data of those customers who used third-party service (such as Facebook) to login to the website, their data is safe as well since Bodybuilding.com did not have access to their password, and it was not accessible to the unauthorized party.
Bodybuilding.com is currently conducting an investigation with the help of law enforcement agencies and has hired cyber-security experts to fix vulnerabilities and remediate the incident. Additionally, the website is asking customers to remain vigilant and watch out for any phishing email claiming to have been sent by Bodybuilding.com.
It is worth mentioning that the breach notification email sent by the website does not ask users to click on any link, download attachment or provide their personal information. If you receive such email asking for your personal data mark it as spam.
Bodybuilding.com’s data breach is a lesson for businesses who lack cybersecurity expertise and don’t emphasize on training their employees about the dangers of cyber-attacks, and how to identify phishing scams. Every company should invest in teaching their employees about the growing threat of cyber-attacks.