Hackers appear to have compromised the online payment platform of video game retailer GameStop, with the company announcing on Friday that it is investigating reports of data from payment cards used at GameStop.com showing up for sale online.
GameStop offered few details about the timing of the breach or how many customers it could potentially affect, but said that it is working with a security firm to investigate. Citing sources in the financial industry, security expert Brian Krebs said on Friday that the GameStop website was likely compromised by “intruders” between last September and the first week of February.
In a blog post, Krebs wrote that “the compromised data is thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a three-digit security code printed on the backs of credit cards.” He noted that CVV2 codes are not typically stored by online payment processors, suggesting that the hackers were able to capture them before they were submitted to verify a payment.
“GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified,” the company said in a statement, and reminded customers that credit and debit card agreements typically limit cardholders’ liability for unauthorized charges if they report them promptly.
Many breaches of online payment information have been reported in recent years, from tech firms like Acer, to Madison Square Garden, hotel chains and the California Department of Motor Vehicles. In Acer’s case, the company agreed to pay $115,000 in penalties after an investigation by the New York Attorney General’s office revealed that sensitive customer information was unencrypted and easily accessible to unauthorized users.