If you shopped on GameStop’s website this fall or winter, you’ll want to keep an eye on your credit-card statements for a bit. GameStop confirmed to security expert Brian Krebs that it is looking into a breach during that period that may have compromised not only credit card numbers, but also addresses, the 3-digit CVV2 numbers on the back, and expiration dates.
“GameStop recently received notification from a third party that it believed payment-card data from cards used on the GameStop.com website was being offered for sale on a website,” a GameStop spokesperson told Krebs.
The company has hired a “leading security firm” to investigate the claims.
Big, if true
If you’ve spent any time reading about credit-card breaches like these in the past, you’ll notice something about the leaked info listed above. There’s a lot of it. Merchants don’t store those CVV2 codes in their databases, and those are typically one of the biggest barriers to hackers using stolen credit cards.
If the card info was leaked and those codes are in there, that suggests that the hackers responsible got the data not by pulling down a database but by placing code on GameStop’s site, recording the data as users submit it rather than after it’s encrypted and sent.
If you shopped on GameStop’s site in the last six months or so, watch your card with a close eye.