The Green Bay Packers have revealed a significant data breach affecting their official online store, Packers Pro Shop, which occurred between late September and October 2024.
Hackers exploited the platform by injecting malicious code into the checkout page, enabling them to steal sensitive customer information, including names, addresses, and full credit card details. After detecting the intrusion on October 23, the team took immediate action by disabling checkout functions and enlisting cybersecurity experts to investigate the breach’s scope and impact.
This incident comes at a crucial moment for the Packers organization as the team prepares for their upcoming playoff game against the Philadelphia Eagles, scheduled for Sunday, January 12th, and has serious implications for customers who made transactions using credit cards during the compromised time frames.
The attackers used advanced techniques to bypass security measures, including using a JSONP callback and YouTube’s oEmbed feature to exfiltrate data. The Packers have since implemented improved security protocols and are offering customers three years of credit monitoring services through Experian.
Why It Matters: The Packers’ Pro Shop breach is a reminder that anywhere online transactions are made, there’s always a risk of compromise, even on trusted platforms. Fans who shop at the Pro Shop’s credit card information and other personal details could now be in the hands of criminals, potentially leading to identity theft, fraudulent charges, or phishing scams. Given how hackers specifically targeted an NFL team’s e-commerce site, it also raises questions about the readiness of similar platforms to defend against these creative cyberattacks.
- Breach Timeline: The malicious code was active on the Pro Shop’s checkout page during two critical periods: September 23–24 and October 3–23, 2024. The breach was discovered on October 23, prompting immediate action to disable payment functionality and launch an investigation.
- Stolen Information: The attackers obtained names, billing and shipping addresses, email addresses, and full credit card details, including expiration dates and CVV numbers. Payments via gift cards, Pro Shop accounts, PayPal, or Amazon Pay were not affected.
- Response and Containment: The Packers enlisted third-party cybersecurity experts and required their website vendor to remove malicious code, refresh passwords, and confirm system vulnerabilities were addressed. Enhanced security measures have since been implemented to prevent future breaches.
- Broader Context: Dutch e-commerce security firm Sansec, which alerted the Packers to the breach, noted the attackers used advanced techniques like injecting scripts from external sites to exfiltrate data.
Go Deeper -> Green Bay Packers’ Online Store Hacked to Steal Credit Cards – Bleeping Computer
Green Bay Packers Defenses Breached as Fans’ Credit Card Details Stolen – Cyber News
Green Bay Packers Online Store Used to Steal Fan Credit Card Details – Tech Radar