WooThemes is investigating alleged website vulnerabilities

Categorized under:

, , ,
Photo of author
Written By Brian Krogsgard

19 thoughts on “WooThemes is investigating alleged website vulnerabilities”

  1. I read their updates too..
    if woothemes got hacked,, is it possible woocommerce also get hacked?
    my online shop using woocommerce,, i don’t want my customer get hacked after purchase some product in my olshop.

  2. I’m a woo themes customer from Poland and I got like 40 transactions for 10usd yesterday. after the account was drained (I only had like 350usd on it) bank blocked the card… I’m going to the police and the bank but I do not have a high hopes…

  3. To those who were victims (of this specific case and others):

    All major credit card companies (Visa, MasterCard, AMEX etc.) protect consumers against this sort of thing. You simply have to contact your bank and tell them you didn’t authorise the transaction. They will contact the party where the fraudulent purchase was made and ask for proof that it was the legitimate cardholder who made the purchases. The burden always lies on the seller (the one who authorised the fraudulent transaction), not on the card-holder.

    This does, however, depend on your bank (and the credit card association); and it is a lengthy process to get the paperwork filled in, but there are checks in place to protect the consumer.

  4. I think this goes further back than a week. I bought stuff in january and also had fraudulent activity on my credit cards.

  5. This doesn’t just apply to customer’s who’ve bought stuff in the last week or so. Me and a friend of mine who’s also a web developer and WooThemes customer noticed on Wednesday (7th) that we’d both had suspicious transactions blocked by our bank, and cards cancelled. The circumstances (timing, nature of fraud) were too common to be coincidence, so we put our heads together, compared suppliers and transactions, and came up with WooThemes as one of two possible common links.

    Our last WooThemes purchases were in January and February, and we subsequently found a third person who had been hit who had last purchased in February.

    See our Tweets from Wednesday to show we were onto this back then:
    https://twitter.com/magicroundabout/status/464049175404240896
    https://twitter.com/Keiron/status/464094609317298176

    So…either
    – Woo, or Inspire Commerce (their payment provider) DO actually store card details somewhere; or
    – someone’s been intercepting/siphoning off card details for at least a few months!

  6. We are busy analysing all reported fraudulent transactions to discover a pattern. Almost all fraudulent transactions have occurred in the last 5 days it seems, with us getting more responses from customers after sending our news blast.

    Whilst the fraud has happened in that period, the actual transactions on WooThemes do (in a small number of cases) go back to the beginning of the year. This doesn’t add up and further audits are being conducted.

    We do not store credit card details so we believe this information was potentially intercepted in the checkout process.

  7. Hi, I bought on “Woothemes.com” the plugin “Catalog Visibility Option” on January, 27 th, payed with my credit card (Mastercard).
    Last sunday my credit card was used for pay a service bought on “Lastminute.com”, BUT NOT BY ME!!
    I quickly blocked the credit card and the iter to have my money back is running with the bank, but what Wootheme write me via e-mail today let me think that something happened with my cc trough my purchase on “Woothemes”, because in other transaction I made in past, I always had to insert OTP generated by a physical device in my only availability.
    Ivan – Brescia (ITALY)

  8. I made a purchase on 04/02/14 at WooThemes with My Business Visa Card, three days ago I was alerted of a fraudulent charge of nearly $4500, not sure if it is related, but they tried to make purchase at Fry’s electronic store. I have been issues and waiting a new card.

    On 1/27 I made a purchase at WooThemes with my Business Debt card, I have not see fraudulent behavior on that card.

    I emailed Woo and heard back from Magnus but thought I would post here as well.

    • OK, I am updating here. My business debit card has been compromised this AM. So anyone reading this here, the last time I used that card at Woo was on 1/27/14 so whoever had been doing this for several months.

      Now I am borderline pissed because now I dont have access to both my business credit or debit cards as they both have been canceled/reissued. Kind of a pain in the ass and I have to go through every account I used these card with and update this information.

      On the same page as Scary, no real apologize from Woo or even an offer for a discount, nothing.

  9. Same here. last transaction I made with woothemes was mid-march. Fraudulent activity has been going on for only the last few days. I assume the vulnerability was exploited quite a while ago and data has been collected over a long period. Then recently the big credit card / customer information repo has been sold on the black market (only an assumption).

    Fraudulent payments on my business card were made to UK shopping sites rather than from random countries round the world (i’m from the UK).

    Then again, it could just be a coincidence… ¯\_(ツ)_/¯

  10. I have purchased from Woothemes couple of times this year. last time it was a month ago. Now, last Sunday two of my credit cards i have used on Woothemes were compromised. With one of them someone tried to purchase 690 eur worth of merchandise from notebook.de and they succeeded. Second one was used to buy 3500 eur worth of merchandise but bank already was alarmed and they blocked it. Luckily my bank was quickly on it and they warned me about it.

    Also, i was lucky to get my money back. Nevertheless, i had to close two of my credit cards and had nearly a hard attack…

  11. I had the same experience as Nathan.

    I saw pending transactions (that I wasn’t expecting) on my business account whilst at the ATM and then by coincidence saw a news item on Hacker News. I had made some purchases on Woothemes back in early April.

    After contacting my bank, they confirmed purchases pending from / at Frys and when I confirmed that those were not initiated by me they took over and so far the transactions are still pending but I too have to get a new bank card.

    I have just emailed Woothemes to confirm that I was affected so they have that for their records.

  12. I emailed them in response to the news that I too had a fraudulent purchase scare – I got lucky and the transaction failed (they tried to buy plane tickets) but oddly Woo asked me for NO information (when did I purchase, with what email account, etc., anything that may help them understand how far it goes back, etc.). When my card got skimmed last year AT my own bank’s ATM they wanted every detail. Yes cards are protected but this is a huge inconvenience, not to mention a real scare. You’d think something more than “sorry” like hey here’s a coupon have some free plugins, would be forthcoming. P.S. I have had a tremendous amount of phone calls for loan apps using my cell # (apparently from a website that ferrets them out to loan companies on the web) – I have yet to understand how one secures a loan if they’re using my cell # I am in possession of so I’m assuming it’s unrelated and someone used my number in err or someone’s pissed at me (well played if that’s the case!).

  13. I got a email from them about the credit card hack but it was to late and I had to go through the process of cutting up my new PayPal debit card and contact my bank on the 20 transactions that depleted my checking account paypal drew from. I had $150 of service charges my bank forgave being it was fraud. The point is it was a mess and time consuming. The steps Woothemes took was to upgrade security (should have done that beforehand) and quote: offer a coupon code which gives you 50% discount (valid until 31 May 2014), should you want to continue to use our products. I ask why a deadline on the coupon? To hurry and buy something more from us. Looks like they want a hand out for some quick sales. Give the D.. thing to those who were hurt in this matter no deadline or strings attached.

  14. As I wrote in 9th, may I was between people hit from credit card hack while purchasing on WooThemes site.

    The fact costs me a lot of time to be resolved, go to bank agency, to the police office to denunce it, ask bank to re-emit a new credit card (= spent again ).

    Now you offer us a DISCOUNT, that means that you are going to do more NEW business with us starting from this situation !!

    I find this commercial try very unpleasant by you; ask to give you MORE money (the rest 50%) ….

    I think it’s better to give us a completly free coupon…. or don’t mention nothing, it will be better for WooThemes reputation!

  15. If you use a credit card number on the internet, there is a very good chance it will be compromised. My card number has been ‘hacked’ 12 times in 10 years. I call and have them removed. Takes 30 minutes.

    Why is everyone making a big deal about it?

Comments are closed.

A2 Hosting
Omnisend
WordPress.com