Forum home Road cycling forum Road general

Wiggle hacked

oxomanoxoman Posts: 8,865
Just spotted on another forum and cyber security site that wiggle are investigating a cyber attack. It's reported people have lost money for goods supposedly ordered by them and delivered elsewhere. Currently being investigated.
Too many bikes according to Mrs O.

Posts

  • sungodsungod Posts: 13,222
    from what i'd seen it sounded like a credential stuffing attack, using details stolen elsewhere i.e. if someone used the same id+password on wiggle and site oops.com, and oops.com was compromised

    the thieves use automated tools to try lists of stolen credentials against other sites, in bulk, enough people re-use passwords to make it viable

    wiggle's not to blame for illicit access where a customer has re-used the same login details that they used on oops.com

    but if it's allowing stored payment details to be used for delivery to a new address without re-verification, that's really unacceptable

    just speculation, we'll have to wait and see

    btw always a good idea to check email addresses you use...

    https://haveibeenpwned.com/

    ...and of course, avoid re-using passwords, and use two-factor whenever available
    my bike - faster than god's and twice as shiny
  • oxomanoxoman Posts: 8,865
    👍 Wise words SG, Every days a school day.
    Too many bikes according to Mrs O.
  • nigelgosnigelgos Posts: 128
    Thanks for the heads up :)

    I got an email from Wiggle the other day to 'complete my order' which is a standard email you get after you add something to your basket but don't end up buying it. This raised alarm bells as I hadn't been on the site but I didn't follow it through.

    After reading this I've just logged into my Wiggle account to see that my address has changed to this.

    Nikita Yakymenko
    Ukraine, Shostka, 41100
    Shostka
    Sumy oblast
    41000
    Ukraine
    +380686565203

    I don't store payment details on sites to prevent issues like this so luckily nothing could be purchased. Sungod mentioned https://haveibeenpwned.com/ - it's a great site to let you know if your email has been part of any breached data. My email has been part of several data breaches.
  • whyamiherewhyamihere Posts: 7,408
    edited June 2020
    You should use unique passwords for each site, password managers significantly help with this. If you use Gmail, you can also use a unique email for each site. Gmail ignores dots, and allows you to append something to the end of your address with a plus sign, meaning that even if an email address is captured in a hack, it will not be linked to anything else.

    All of these email addresses will resolve to the same inbox (note, this is a new address I set up purely for this example):

    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    Other services may be able to do similar things, but I'm only really familiar with Gmail's options.

    Edit: If you have a decent password manager (I use Dashlane), you can store which of your infinite email addresses you've used for each site.
  • cruffcruff Posts: 1,506
    I'm forever warning people about credential stuffing attacks. Haveibeenpwned is a great resource - be nice if sites started to use 2FA but I suspect that's not going ro happen any time soon as its inconvenient for the customer and costs more for the vendor to provide the service
    Fat chopper. Some racing. Some testing. Some crashing.
    Specialising in Git Daaahns and Cafs. Norvern Munkey/Transplanted Laaandoner.
  • thistle_thistle_ Posts: 4,643
    sungod said:

    btw always a good idea to check email addresses you use...

    https://haveibeenpwned.com/

    ...and of course, avoid re-using passwords, and use two-factor whenever available

    I know one of my old passwords has been hacked from somewhere (Adobe I think it was) so I've been changing them as I remember where I'd used that one before. Luckily I'd changed my Wiggle one recently...
    Chrome also alerts you if you've entered a username/password combo that's on a list of stolen details which is handy.

  • navrig2navrig2 Posts: 1,591
    I am with whyiamhere and use a password manager. If you have BT Internet then you can use True Key for free. It's much the same as Dashlane (I used that previously but switched when I realised the deal through BT).

    The other advice I have taken on board for important passwords which you need to remember is to use a (long) phrase from a book you know well. One guy I know uses an entire sentence.
Sign In or Register to comment.