SCUF Gaming Store Hacked to Steal Credit Card Info of 32,000 Customers

SCUF Gaming Store Hacked to Steal Credit Card Info of 32,000 Customers

SCUF Gaming International, a well-known manufacturer of custom PC and console controllers is alerting customers that its website was hijacked in February to plant a malicious script utilized to hijack their credit card information.

SCUF Gaming makes high-performance and customized gaming controllers for PCs and consoles, utilized by both professionals and casual gamers.

It has around 118 granted patents and 52 other pending patent application covering key controller areas, which includes the trigger control mechanism, back control functions and handle, and more.

How 32,000 Customers are affected?

SCUF Gaming customers were the victims of a web skimming (also known as e-Skimming, digital skimming, or Megacart) attack. Threat actors insert JavaScript-based scripts which are also known as credit card skimmers (aka Megacart scripts, payment card skimmers) into negotiated online stores which permit them to harvest and hijack customers’ payment and personal information.

The attackers later sell it to others on hacking or carding forums or use it in various financial or identity theft fraud schemes. In this case, the malicious script was deployed on SCUF Gaming’s online store after the attackers gained access to the company’s backend on February 3rd using login credentials belonging to a third-party vendor.

Two weeks later, on February 18th, SCUF was alerted by its payment processor of unusual activity linked to credit cards used on its web store. The payment skimmer was detected and removed one month later, on March 16th, following what the company calls “a rigorous investigation in partnership with third-party forensic specialists.”

“Our investigation has determined that orders processed via PayPal were not compromised and that the incident was limited to payments or attempted payments via credit card between February 3rd and March 16th,” SCUF Gaming says in breach notification letters sent to affected individuals.

“The potentially exposed data was limited to cardholder name, email address, billing address, credit card number, expiration date, and CVV.”

SCUF-Gaming-Store-Hacked-to-Steal-Credit-Card-Info-of-32000-Customers--image-1.

While the company didn’t disclose the number of impacted people in the notification letters, it told the Office of the Maine Attorney General that 32,645 individuals were affected in total.

Customers Alerted to Monitor their Bank Accounts

SCUF Gaming also emailed customers in May to alert them that their credit card information may have been exposed in a data breach and ask them to watch their bank accounts for unusual activity.

“This communication does not mean that fraud did or will occur on your payment card account,” SCUF Gaming told affected customers today. “You should monitor your account and notify your card provider of any unusual or suspicious activity. As a precaution, you may wish to request a new payment card number from your provider.”

On April 10th, SCUF Gaming revealed another information breach after revealing an “internal development database” containing over 1.1 million customer records with personal and payment data.    

Leave a Reply