No Wiggle room: Two weeks after angry bike shop customers report mystery orders on their accounts, firm confirms payment cards delinked - The Register
Updated Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves.
Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number of customers' login details have been acquired outside of Wiggle's systems and some have been used to gain access to Wiggle accounts and purchases made."
"We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.
"To protect our customers, all accounts will require the re-entry of card details for the next purchase."
He went on to say that credential-stuffing crooks who'd obtained nicked login details (and ostensibly, reused passwords) via other methods had used them to "gain access to genuine customer accounts" - adding that the firm "recommended our customers change their password if they have any concerns".
He did not explain why Wiggle had seemingly kept silent on the issue for days nor why it seemingly had taken so long to take remedial action.
Updated Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves.
Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number of customers' login details have been acquired outside of Wiggle's systems and some have been used to gain access to Wiggle accounts and purchases made."
"We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.
"To protect our customers, all accounts will require the re-entry of card details for the next purchase."
He went on to say that credential-stuffing crooks who'd obtained nicked login details (and ostensibly, reused passwords) via other methods had used them to "gain access to genuine customer accounts" - adding that the firm "recommended our customers change their password if they have any concerns".
He did not explain why Wiggle had seemingly kept silent on the issue for days nor why it seemingly had taken so long to take remedial action.