Rail Europe had a three-month long credit card breach

Credit card numbers, expiration dates, and card verification codes were stolen.

(Image: ZDNet)

If you booked train tickets for a European getaway in the past few months, you might want to check your bank statements.

Rail Europe, a site used by Americans to buy train tickets in Europe, has revealed a three-month data breach of credit cards and debit cards.

Read also: These were 2017's biggest hacks, leaks, and data breaches

The announcement came in a letter filed with the California attorney general, in which the company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018.

The company said credit card numbers, expiration dates, and card verification codes were stolen -- everything needed by a fraudster to carry out unauthorized purchases. The hackers also stole name, gender, delivery and invoicing addresses, phone numbers, email addresses, and in some cases usernames and passwords of customers on the website.

Users should change their passwords. If the same username and password set is used on any other site, they should be changed, too.

Rail Europe said it "replaced and rebuilt" compromised systems from known-to-be safe code. Although the company didn't say how the hackers breached its systems to install the credit card-skimming code, the letter added that passwords were changed and certificates were renewed following the hack.

It's not known how many customers are affected. California data breach law mandates that any breach affecting more than 500 state residents has to publicly list the breach notification with the state attorney general's office.

Read also: Online security 101: Tips for protecting your privacy

When asked how many people are affected by the breach, a spokesperson for Rail Europe said: "We are not sharing that information at this time."

According to the company's website, the site had over five million customers last year.

Got a tip?

You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More