The Green Bay Packers just fell victim to hackers — or rather, the team’s online store did. The bad news? That means your credit card information could be in danger if you’ve recently shopped at the NFL team’s official online retail store. The Packers released a notice of a data breach, notifying its customers about the October hack. Here’s what we know.
Hackers managed to access the store and insert a card skimmer script to steal payment and personal information. The data affected includes credit card types, expiration dates, numbers, and verification numbers, which could put customers at risk of credit card fraud. Hackers also got access to names, addresses, and email addresses, says Bleeping Computer.
The NFL team had already turned off all payment and checkout capabilities after discovering on October 23 that the site had been compromised. The Green Bay Packers hired cybersecurity experts to investigate the incident and determine whether any customer information had been accessed. Thanks to the investigation, they discovered that personal and payment information was stolen between September and early October 2024.
“Based on the results of the forensic investigation, on December 20, 2024, we discovered that the malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website between September 23 and 24, 2024, and October 3 and 23, 2024.”
There is some good news in all of this. If customers paid for their items using PayPal, Amazon Pay, a Pro Shop website account, or a gift card, their information was not affected. The NFL team also took action.
“We also immediately required the vendor that hosts and manages the Pro Shop website to remove the malicious code from the checkout page, refresh its passwords, and confirm there were no remaining vulnerabilities,” said Chrysta Jorgensen, the Packers’ director of retail operations.
Sansec, a Dutch security company, notified the Packers of the breach. According to Sansec, the threat actors used a JSONP callback (JSON with Padding, which means a technique that enables cross-domain requests) as well as YouTube’s oEmbed features to bypass the Content Security Policy (CSP) and carry out their attack.
The Green Bay Packers offered those affected three years of credit monitoring and identity theft restoration services. If you bought anything in the Packers’ online store during the period of September to October 2024, make sure to monitor your credit card statements for fraudulent activities.
This isn’t the first time hackers have targeted the NFL. Multiple teams were targeted back in 2023, and a total of 15 NFL teams had their social media accounts breached.