Customer data might have been exposed, the company said in a short message posted on its website. Its staff isn't sure if the attacker accessed customer data, though.
A third-party security firm was hired to help with the investigation, but forensics experts couldn't confirm that customer data was stolen from Bodybuilding.com's servers, either.
Bodybuilding.com said investigators traced the unauthorized activity to a phishing email its staff received in July 2018. At least one employee appears to have fallen for this email.
Hackers used the data they obtained from this phishing email to access the company's network in February 2019. Bodybuilding.com didn't say when it detected the intrusion, but it said it finished its investigation on April 12. It went public with the security breach a week later, on April 19.
Despite not knowing if hackers accessed customer data, Bodybuilding.com decided to do the right thing and notify all of its customers of the security incident, as a precaution.
It also reset all users' passwords as well, to prevent any abuse in case attackers did manage to steal any data.
According to the company, if hackers did manage to access and steal customer data, possibly exposed details will include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in BodySpace profiles.
Social Security numbers and payment card details were not exposed, the company said, as the site never collected this information in the first place.
Besides notifying users of the breach, Bodybuilding.com is also alerting users that scammers might also try to imitate its data breach disclosure notifications for online fraud or phishing attacks.
Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to insert the Bodybuilding.com FAQs URL into your browser and does not request your personal data.
Bodybuilding.com is one of the internet's most visited sites, currently #1,657 on the Alexa website ranking. The site has over seven million registered users on its forum, and its website receives over 30 million visitors per month. The last time the site dealt with a major security issue was in 2008.