Do you frequent the website bodybuilding.com?
If so, be advised that the site has been breached. According to a recent statement by the company behind the site, the breach occurred in February 2019 and had its origins in a phishing email the company received back in July of 2018.
A detailed account of the incident was published on the company's help center and contained most of the elements we've come to expect when things like this happen:
- The company is very sorry that it happened
- "Certain" customer/member information may have been compromised
- The company has been working with law enforcement and has brought in a third party to assist with the forensic investigation, which is ongoing
Unfortunately, It doesn't say anything about the breach on the front page, and you have to go the very bottom of a long front page to find the Help Center. From there you have to search through 13 topics to find "data incident".
Some personal data definitely breached
The company also stressed that while partial payment account numbers were compromised, no full debit or credit card information was at risk. That is because the site only stores the last four digits of payment cards if and when a given user opted to have the data stored by the website.
Again in keeping with the common response to incidents like these, Bodybuilding.com reported that in exercising an abundance of caution, they are force-resetting all user passwords. If it's been a while since you've logged on, just be aware that the next time you do, you'll be prompted to change your password.
As to the specific data that was compromised, according to the latest information posted by the company, the following information was accessed by unknown third parties:
- User name
- The email address you used to sign up for the service
- Your billing and/or shipping address
- Your phone number
- Your order history
- Your birthday
- Any correspondence that may have occurred between you and the site administrators
- Any other information you included in your profile
Payment Card Industry Data Security Standard (PCI DSS) is responsible for breaches and audits when credit cards are at risk. Their PCI Compliance Guide is painstakingly thorough and complete. Take a look at an overview article. For those who are in the industry this affects. the compliance guide is the "Bible". Breaches that are caused by knowingly caused weaknesses in your defense strategy or by not responding properly to a breach can cause very real harm to your business and expensive compliance measures (including fines).
As ever, if you're using the same password on this site that you use on some other, be sure to change both immediately. Try hard to break the habit of using the same password across multiple web properties. Password Managers are inexpensive and work.
Meanwhile, check out this report
Free Executive Report: 10 Hidden IT Risks That Might Threaten Your Business
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.
I am Denis Wilson, President and Principal Consultant for DWP Information Architects. We specialize in managed IT support for smaller healthcare practices, financial services firms, and nonprofits in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with a variety of organizations. As well as providing small business technology education programs through business and professional associations.
Contact me if you would like me to speak at your association.