Analysis Summary

ZAGG Inc. is alerting consumers that hackers have accessed a third-party application offered by BigCommerce, the company's e-commerce provider, exposing their credit card information to unauthorized parties.

A manufacturer of accessories for consumer electronics, ZAGG is well-known for its mobile accessories, which include power banks, phone covers, keyboards, and screen protectors. The Utah-based business makes $600 million a year. As per the correspondence given to those affected, the attacker gained access to BigCommerce's FreshClick app and introduced malicious code, which resulted in the theft of customers' credit card information.

ZAGG discovered that between October 26, 2024, and November 7, 2024, an unidentified attacker introduced malicious code into the FreshClick app. This code was intended to collect credit card information input during the checkout process for specific ZAGG.com client transactions. BigCommerce is a software-as-a-service (SaaS) e-commerce platform company with headquarters in Austin that caters to a wide spectrum of companies in different sectors and geographical areas, from startups to multinational conglomerates.

A third-party tool called FreshClick assists in developing responsive websites and apps for the BigCommerce platform. It is intended to improve consumer satisfaction and the operation of electronic stores. Despite not being created by BigCommerce directly, FreshClick is available through the app marketplace, a carefully controlled area where retailers can locate and set up shop add-ons.

BigCommerce stressed in a statement that there was no penetration or breach of its systems. BigCommerce removed the FreshClicks App from its customers' stores after identifying that it had been compromised using internal tools. Through its internal tools and conversations with the partner, it confirmed that the FreshClicks App, a third-party app, was compromised. BigCommerce promptly uninstalled the app in its stores, eliminating any harmful code and compromised APIs, and acting in the best interests of its clients and their users.

Due to this data breach, between October 26 and November 7, 2024, the attacker obtained the names, addresses, and credit card information of customers of zagg.com. Following this event, ZAGG alerted federal law enforcement and regulators, implemented remediation measures, and arranged for affected consumers to receive a complimentary 12-month credit monitoring service from Experian.

The letter also encouraged recipients to set fraud alerts, monitor financial account activity carefully, and consider freezing their credit. ZAGG has not yet revealed the number of clients affected by this security vulnerability. Six FreshClick-made add-ons are now available in BigCommerce's store, with 178 reviews. It's possible, though, that the corrupted plugin was momentarily deleted.

Impact

• Sensitive Data Theft
• Financial Loss
• Unauthorized Access

Remediation

• Regularly back up critical data and systems. In the event of a successful attack or compromise, having recent backups can help you restore operations and minimize data loss.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.