No Wiggle room: Two weeks after angry bike shop customers report mystery orders on their accounts, firm confirms payment cards delinked

It was a fraudster! Finally an excuse for why there's a £250 Lycra bodysuit on your bank statement


Updated Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves.

Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number of customers' login details have been acquired outside of Wiggle's systems and some have been used to gain access to Wiggle accounts and purchases made."

"We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.

"To protect our customers, all accounts will require the re-entry of card details for the next purchase."

He went on to say that credential-stuffing crooks who'd obtained nicked login details (and ostensibly, reused passwords) via other methods had used them to "gain access to genuine customer accounts" - adding that the firm "recommended our customers change their password if they have any concerns".

He did not explain why Wiggle had seemingly kept silent on the issue for days nor why it seemingly had taken so long to take remedial action.

A Twitter user called Omid told The Reg earlier today: "Various people have had money stolen and Wiggle are not responding, or are dragging their heels."

Over the past few days, Wiggle appeared to be asking users to contact it via direct message. An operator of the firm's Twitter account told a user today at 15.28 BST: "Our systems remain secure but we're investigating currently. Additional security is in place and account issues have been prioritised. DM your information ASAP and we'll respond urgently. Apologies."

Customers first began making the apparently fraudulent orders public as far back as 2 June, with irate cyclists complaining both that mysterious orders were appearing in their accounts and that their account credentials had been changed without their knowledge.

In an incautious Twitter reply to one affected punter, Wiggle noted:

The corporate Twitter account has since begun replying to customers' Twitter enquiries, albeit with a copy-pasted message promising someone will be in touch.

Road magazine was first to reveal that the retailer, which sells everything from expensive figure-hugging bodysuits to specialised road bicycles and aerodynamically sculptured helmets, had apparently "fallen victim to a cyber security breach."

Placing orders and changing address details in an online account requires a successful login - and the credential-stuffing explanation is a plausible one - but it raises some questions. We have asked Wiggle about the speed of its security incident response and its lack of public comment up to this point.

Informed readers will also be raising questions about things like rate-limiting logins and enforced password changes.

Wiggle will be required to report the incident to the Information Commissioner's Office within 72 hours of becoming aware of it. As Uber previously found out, credential stuffing attacks are also a notifiable data protection incident. The Register has asked the UK watchdog whether Wiggle has done so. ®

Updated at 17:52 BST to add

Wiggle has been in touch to tell us: "It has been in the last 24 hours where Wiggle has seen a small but still significant spike in alerts by customers and has devoted additional resources to responding to these inquires and introduced additional steps, such as delinking payment cards, as a precaution. As mentioned Wiggle is also recommending customers update their passwords for further protection. Wiggle is also currently working with the ICO and following their guidance."

Similar topics


Other stories you might like

  • Share your experience: How does your organization introduce new systems?

    The answer is rarely obvious. Take part in our short poll and we'll find out together

    Reg Reader Survey The introduction of new systems into an organization is essential. If we stay still, if we continue to rely on legacy systems, if we fail to innovate – well, we (or, in reality, the company) will die. As business guru Sir John Harvey-Jones once put it: “If you are doing things the same way as two years ago, you are almost certainly doing them wrong.”

    But who should lead innovation in our companies? Who should be introducing new systems? The answer is not obvious.

    On one hand, the introduction of new systems into the business should be led by the business. In principle, the people doing the work, dealing with the suppliers, selling to the customers, are best placed to be standing up and saying: “We need the system to do X,” whether their motivation be to reduce cost, increase revenues, make products more efficiently, or even bolster our environmental credentials.

    Continue reading
  • These Rapoo webcams won't blow your mind, but they also won't break the bank

    And they're almost certainly better than a laptop jowel-cam

    Review It has been a long 20 months since Lockdown 1.0, and despite the best efforts of Google and Zoom et al to filter out the worst effects of built-in laptop webcams, a replacement might be in order for the long haul ahead.

    With this in mind, El Reg's intrepid reviews desk looked at a pair of inexpensive Rapoo webcams in search for an alternative to the horror of our Dell XPS nose-cam.

    Rapoo sent us its higher-end XW2K, a 2K 30fps device and, at the other end of the scale, the 720p XW170. Neither will break the bank, coming in at around £40 and £25 respectively from online retailers, but do include some handy features, such as autofocus and a noise cancelling microphone.

    Continue reading
  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading
  • Intel teases 'software-defined silicon' with Linux kernel contribution – and won't say why

    It might enable activation of entirely new features on existing Xeon CPUs … or, you know, not

    Intel has teased a new tech it calls "Software Defined Silicon" (SDSi) but is saying almost nothing about it – and has told The Register it could amount to nothing.

    SDSi popped up around three weeks ago in a post to the Linux Kernel mailing list, in which an Intel Linux software engineer named David Box described it as "a post-manufacturing mechanism for activating additional silicon features".

    "Features are enabled through a license activation process," he wrote. "The SDSi driver provides a per-socket, ioctl interface for applications to perform three main provisioning functions." Those provisioning functions are:

    Continue reading
  • Chip manufacturers are going back to the future for automotive silicon

    Where we're going, we don't need 5nm

    Analysis Cars are gaining momentum as computers on wheels, though chip manufacturers' auto focus isn't on making components using the latest and greatest fabrication nodes.

    Instead, companies that include Taiwan Semiconductor Manufacturing Co and Globalfoundries are turning back the clock and investing billions in factories that use older manufacturing techniques to make chips for vehicles.

    The rapid digitization and electrification of cars has created a giant demand for smaller, more power-efficient auto chips, said Jim McGregor, principal analyst at Tirias Research. He added that cars don't necessarily need the latest manufacturing processes, though, and many are still using analog-based components for various functions.

    Continue reading

Biting the hand that feeds IT © 1998–2021