Data stolen from Hy-Vee customers offered for sale on Joker’s Stash Dark Web forum

A card dump of 5.3 million accounts may be tied to the recent security breach.
Written by Charlie Osborne, Contributing Writer

Information stolen from Hy-Vee customers has appeared in a popular carding forum, with 5.3 million cardholder accounts now up for sale. 

As previously reported by ZDNet, the supermarket chain issued a warning to customers on August 14 which explained that a data breach had occurred at point-of-sale (PoS) systems used by the firm's fuel pumps, coffee shops, and restaurants including Market Grilles, Market Grille Expresses, and Wahlburgers. 

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

However, PoS systems used by Hy-Vee grocery stores, drugstores, and convenience stores are not believed to have been affected. 

Typically, PoS platforms are compromised through the installation of RAM scanners which are able to harvest payment card details once they have been swiped. This stolen data is then remotely transferred to a server controlled by an attacker and may be offered for sale as part of a data dump or used to create clone cards. 

It is not known who is behind the data breach, nor how long they were lurking on the firm's systems. Iowa-based Hy-Vee has launched an investigation and asked customers to keep an eye on their bank statements for fraudulent transactions. 

"If you see an unauthorized charge, immediately notify the financial institution that issued the card because cardholders are not generally responsible for unauthorized charges reported in a timely manner," the company said. 

Now, it seems that customers may, indeed, be at risk, as reported by KrebsOnSecurity. 

CNET: Facebook cracks down on more fake accounts tied to Myanmar

According to security expert Brian Krebs, 5.3 million accounts belonging to cardholders in 35 US states are being advertised as for sale on the popular underground marketplace Joker's Stash. 

Two unnamed sources told Krebs that the dump is being sold under the name "Solar Energy" in a data dump, with card account records on offer for between $17 and $35 each. 

A Hy-Vee spokesperson told Krebs that the company is aware of reports that customer data is up for sale, and "[is] working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts."

TechRepublic: Why hackers still impersonate Microsoft more than any other company

For consumers, this means that keeping an eye on bank accounts and credit reports is of importance. The sooner you know your card has been compromised, the quicker your bank can take action to remedy any fraudulent transactions or charges. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards