Image: SCUF Gaming
SCUF Gaming International, a leading manufacturer of custom PC and console controllers, is notifying customers that its website was hacked in February to plant a malicious script used to steal their credit card information.
SCUF Gaming makes high-performance and customized gaming controllers for PCs and consoles, used by both professional and casual gamers
It has 118 granted patents and 52 other pending patent applications covering key controller areas, including the trigger control mechanism, back control functions and handle, and more.
Over 32,000 customers impacted
SCUF Gaming customers were the victims of a web skimming (also known as e-Skimming, digital skimming, or Magecart) attack.
Threat actors inject JavaScript-based scripts known as credit card skimmers (aka Magecart scripts, payment card skimmers, or web skimmers) into compromised online stores which allow them to harvest and steal customers's payment and personal info.
The attackers later sell it to others on hacking or carding forums or use it in various financial or identity theft fraud schemes.
In this case, the malicious script was deployed on SCUF Gaming's online store after the attackers gained access to the company's backend on February 3rd using login credentials belonging to a third-party vendor.
Two weeks later, on February 18th, SCUF was alerted by its payment processor of unusual activity linked to credit cards used on its web store.
The payment skimmer was detected and removed one month later, on March 16th, following what the company calls "a rigorous investigation in partnership with third-party forensic specialists."
"Our investigation has determined that orders processed via PayPal were not compromised and that the incident was limited to payments or attempted payments via credit card between February 3rd and March 16th," SCUF Gaming says in breach notification letters sent to affected individuals.
"The potentially exposed data was limited to cardholder name, email address, billing address, credit card number, expiration date, and CVV."
While the company didn't disclose the number of impacted people in the notification letters, it told the Office of the Maine Attorney General that 32,645 individuals were affected in total.
Customers warned to monitor their bank accounts
SCUF Gaming also emailed customers in May to warn them that their credit card information may have been exposed in a data breach and ask them to watch their bank accounts for suspicious activity.
"This communication does not mean that fraud did or will occur on your payment card account," SCUF Gaming told affected customers today.
"You should monitor your account and notify your card provider of any unusual or suspicious activity. As a precaution, you may wish to request a new payment card number from your provider."
On April 10th, SCUF Gaming disclosed another data breach after exposing an "internal development database" containing over 1.1 million customer records with personal and payment information.
A SCUF Gaming spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Comments
Echo64 - 2 years ago
"The potentially exposed data was limited to cardholder name, email address, billing address, credit card number, expiration date, and CVV."
Oh good I'm glad nothing serious got exposed, it was just limited to these few little things.