If you’ve shopped at the GameStop website anywhere from mid-September 2016 to early February, there’s a chance your credit card information has been compromised by hackers, according to a security report by KrebsOnSecutiry, and acknowledged by GameStop.
GameStop had apparently been informed by a third-party that credit card payment data from his customers was found listed on sale on an (undisclosed) illegal website. The same day they received the security warning, GameStop responded to Krebs (and players’) worries:
“That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”
The compromised information includes card number and expiration date, but most notably CVV2s, the 3-digit code on the back of your card. Usually getting your credit card information (like the number and expiration date) compromised isn’t the end of the world, since they still need the code for offline purchases, giving the bank alarms if multiple wrong codes are tried, and giving you time to contact the bank if you feel something’s off.
But the CVV2 flies in the face of all that, allowing the criminals to make purchases immediately.
They closed their response to Krebs by telling us “[they] regret any concern this situation may cause for our customers […] GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges.”
After that initial declaration, however, we’ve got no more comments by GameStop regarding this breach.
Now, retailers aren’t supposed to store security codes in any form, but it is possible for hackers to intercept the information while the client is purchasing on the e-commerce site before it has the chance to be encrypted.
We aren’t sure about what happened behind GameStop’s website (it’s very unlikely but, maybe they do store the codes somewhere?). But what we know is, when it comes to online security, prevention is by far the strongest policy (the leaked information might be saved on hundreds of hard drives by now).
As it stands, GameStop isn’t positioning well among its fans: just last month the chain revealed it’d shut down over 150 stores this year in favour of online retailing, and now this incident might be enough to alienate even their most loyal customers.