No Wiggle room: Two weeks after angry bike shop customers report mystery orders on their accounts, firm confirms payment cards delinked

Updated Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves.

Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number of customers' login details have been acquired outside of Wiggle's systems and some have been used to gain access to Wiggle accounts and purchases made."

"We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded.

"To protect our customers, all accounts will require the re-entry of card details for the next purchase."

He went on to say that credential-stuffing crooks who'd obtained nicked login details (and ostensibly, reused passwords) via other methods had used them to "gain access to genuine customer accounts" - adding that the firm "recommended our customers change their password if they have any concerns".

He did not explain why Wiggle had seemingly kept silent on the issue for days nor why it seemingly had taken so long to take remedial action.

A Twitter user called Omid told The Reg earlier today: "Various people have had money stolen and Wiggle are not responding, or are dragging their heels."

Over the past few days, Wiggle appeared to be asking users to contact it via direct message. An operator of the firm's Twitter account told a user today at 15.28 BST: "Our systems remain secure but we're investigating currently. Additional security is in place and account issues have been prioritised. DM your information ASAP and we'll respond urgently. Apologies."

Customers first began making the apparently fraudulent orders public as far back as 2 June, with irate cyclists complaining both that mysterious orders were appearing in their accounts and that their account credentials had been changed without their knowledge.

@Wiggle_Sport My account has been hacked and an order for £72 spent on my debit card. I've logged it via your contact form but wonder if you can deal with it quicker than the 4-6days stated as the order is to be delivered to the fraudster tomorrow!Seems unfair he gets the jacket!

— Miss Lang (@Miss_Lang_BMA) June 2, 2020

Hey @Wiggle_Sport, some naughty fraudster has been in my Wiggle account and ordered a bunch of stuff. I tried to cancel the orders within 10 mins of them being placed but apparently it's already too late even though you've not processed them yet.

— Gavin (@MisterOnions) June 10, 2020

In an incautious Twitter reply to one affected punter, Wiggle noted:

Hi Kobi. There is nobody from Customer Services monitoring Twitter posts so I have forwarded this and asked them to get back in touch.

— Wiggle (@Wiggle_Sport) June 15, 2020

The corporate Twitter account has since begun replying to customers' Twitter enquiries, albeit with a copy-pasted message promising someone will be in touch.

Road magazine was first to reveal that the retailer, which sells everything from expensive figure-hugging bodysuits to specialised road bicycles and aerodynamically sculptured helmets, had apparently "fallen victim to a cyber security breach."

Placing orders and changing address details in an online account requires a successful login - and the credential-stuffing explanation is a plausible one - but it raises some questions. We have asked Wiggle about the speed of its security incident response and its lack of public comment up to this point.

Informed readers will also be raising questions about things like rate-limiting logins and enforced password changes.

Wiggle will be required to report the incident to the Information Commissioner's Office within 72 hours of becoming aware of it. As Uber previously found out, credential stuffing attacks are also a notifiable data protection incident. The Register has asked the UK watchdog whether Wiggle has done so. ®

Updated at 17:52 BST to add

Wiggle has been in touch to tell us: "It has been in the last 24 hours where Wiggle has seen a small but still significant spike in alerts by customers and has devoted additional resources to responding to these inquires and introduced additional steps, such as delinking payment cards, as a precaution. As mentioned Wiggle is also recommending customers update their passwords for further protection. Wiggle is also currently working with the ICO and following their guidance."