Wiggle has confirmed a number of customers have fallen victim to fraudsters who made unauthorised purchases from their accounts.
Reports began to circulate over the week after some Wiggle shoppers received notification of purchases they hadn’t made, including one customer who noticed an order for a £230 Castelli skinsuit.
Wiggle have now confirmed to Cycling Weekly that some customer accounts had been fraudulently accessed.
It is believed that the customer login details were obtained from other sites, but the fraudsters were able to gain access by trying passwords on multiple different websites to exploit anyone who uses the same password on multiple accounts, also known as a credential stuffing.
Wiggle CEO Ross Clemmow said: “Data security is of the utmost importance to us. We’ve investigated the isolated incidents where accounts have been accessed, and we understand a small number of customers’ login details have been acquired outside of Wiggle’s systems and some have been used to gain access to Wiggle accounts and purchases made.”
One customer said on Twitter on June 13: “Someone (not me) changed my account details and made a fraudulent purchase. I’ve emailed support but not heard back. Live chat hasn’t been working for hours. No phone number to ring.”
Another said on June 11: “My account has been hacked. I’ve had an order put through on my account to buy some trainers. I’ve sent you an email about this but you say it will take eight days to get back to me. I need this cancelled and my account reset now.”
Wiggle has now acknowledged the problem and said it is reaching out to customers affected and anyone who has fallen victim to the scammers will be re-funded.
To avoid further fraudulent transactions, Wiggle will also ensure that all customers have to re-enter their card details before making any new purchases.
The company is also recommending Wiggle users change their passwords if they are concerned.
Clemmow added: “We have taken steps to identify these compromised accounts and we will be individually contacting these customers. All impacted customers will be refunded. To protect our customers, all accounts will require the re-entry of card details for the next purchase. We are aware that where customers utilise the same password across multiple websites, fraudsters with access to some details can feasibly use these to try and gain access to genuine customer accounts. We recommend our customers change their password if they have any concerns. We would like to assure our customers we’re prioritising all enquiries related to this issue.”