April 7, 2017

Video game giant GameStop Corp.  [NSYE: GME] says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity.

gs“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” a company spokesman wrote in response to questions from this author.

“That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified,” the company’s statement continued.

Two sources in the financial industry told KrebsOnSecurity that they have received alerts from a credit card processor stating that Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017.

Those same sources said the compromised data is thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards.

Online merchants are not supposed to store CVV2 codes, but hackers can steal the codes by placing malicious software on a company’s e-commerce site, so that the data is copied and recorded by the intruders before it is encrypted and transmitted to be processed.

GameStop would not comment on the possible timeframe of the suspected breach, or say what types of customer data might be impacted.

Based in Grapevine, Texas, GameStop generated more than $8.6 billion in revenue in 2016, although it’s unclear how much of that came through the company’s Web site. GameStop operates more than 7,000 retail stores through the United States, Canada, Australia, New Zealand and Europe. There is currently no indication that the company’s retail store locations may have been affected.

According to Web site statistics firm Alexa.com, Gamestop.com is the 269th most popular Web site in the United States.

“We regret any concern this situation may cause for our customers,” Game Stop said in its statement. “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.”

45 thoughts on “Gamestop.com Investigating Possible Breach

  1. Jon McCormick

    Thanks Brian.

    My kids use Gamestop constantly. I’m sure we had some purchases during the time frame.

    Appreciate the heads up!


    1. Michael Gilreath

      I am a regular consumer purchasing quite often. A response from the hierarchy of gamestop stated they will “non stop” to continue to address this however is that supposed to lullaby me to feel my information is safe? Who is protecting our information? Gamestop? A hired tech hand surfing the surface web? This is ridiculous! Sure, remain calm as the media promises to protect there customers with false media reports. The propaganda ends here. Every single major data breach I will post on social media as the MAJORITY won’t know this has happened. SENSOR THIS!!!

  2. Maztron

    Now it makes sense why my card was breached. A few weeks back capital one called and texted me immediately as it happened to confirm multiple purchases at walmart.com.

    1. Ken R

      Haven’t purchased anything through the GameStop website, but have through a retail store, so far nothing there. But, this reminds me of a few years back where I had a card that was breached. I was first skeptical of the message I had received, especially as the phone number didn’t correlate with anything I could find on the web as being a number for that issuer. So, I called in through the numbers that I knew, they put me through, and yes it was an actual breach. A fake card in question was used at a Walmart about 500 miles away. As I was being questioned to determine that it was actually not me that made that purchase (just an hour before), another transaction was attempted at a Walmart about 500 miles from the original transaction, and about the same distance from me. Doesn’t take long for fake copies of the same card to be available to multiple people.

      1. CJ

        Ever heard of IRC?

        You can buy these GameStop cards on there as we speak and the person who alerted GameStop was probably someone in those #channels.

  3. IRS iTunes Card (real)

    Another week another breach

  4. Del

    hackers later offered to sell the used data back to gamestop. who offered them 10c on the dollar

    1. Reader

      Haha. Only college textbook stores are worse with used buybacks.

      1. MW

        Steve, I think Del was joking — Gamestop buys used games, but you might only get $5 or $10 for a game that had cost $50 when you bought it new, a month earlier. 🙂

      2. Chris

        It’s a joke on how GameStop rips people iff by offering pennies for trade in for games that they sell at a huge mark up. A 60$ game gets you 30$ the very next week when you trade it in.

          1. Kennedy

            You have to open it or they wont accept it as a “used” game and wont do a return for store credit without a receipt. I griped at my husband for opening a game that he had won at work, it was a game he would never play so he wanted to trade it in, they wont accept unopened games so he had to open it.

            1. Sickley

              Who exactly is offering better deals than GameStop? How much does Walmart, target, bestbuy, etc offer you if you want to return a game you have opened and played?

  5. Grey

    Well I’m glad that I didn’t buy anything from their website during that time frame.

    1. Dustin McEarchern

      I have never used their online store thankfully. I do my very best to limit my exposure to breaches by purchasing from as few online vendors as possible. The breaches just keep coming. Bigger and bigger each time it seems.

  6. Parrish Gunnels

    I can’t tell you over the past few years the number of “security directors” that have floated in and out of Game Stop. It seemed to be a revolving door. It was obvious there are issues at this company trying to get a real security program started and sustained.

  7. Ollie Jones

    There are multiple card-processing vendors suitable for online sales that ….

    a) charge favorable transaction rates.
    b) work in ways that never require the merchant’s servers to see the payment card numbers, expiration dates, or CVV2 numbers.

    Why not use such a vendor if you’re an online merchant? You save money over traditional payment processing, and you put that sensitive data into the hands of genuine security experts.

    I did a renovation of a commerce web site a while ago to use one of those services, and they’ve never looked back.

    But, I bet a lot of merchants beleive something like “oh, our requirements are too complex for that.” Baloney. It’s the not-invented-here disease, but it infects customers and the banking system.

    1. Lithops

      Aside from someone like Paypal, what OTHER “double-blind” systems are out there? I’d sure like to know!

  8. Karen Barney

    Any chance this could be one of the retailers impacted by the Aptos breach? The timing seems about right…

    1. Bobs Hoenisch

      Gamestop appears to be one of their clients. My card game up on a list that my bank has from a recent compromise. I didn’t shop at Gamestop.com but I did at another client of Aptos, Gander Mountain.

  9. EstherD

    Probably explains why our bank called yesterday to say they were going to replace daughter’s debit card due to “possible fraud” at some unspecified location.

    We reviewed daughter’s purchase history, and found that she had made a purchase through Gamestop.com in 11/2016. Seems a likely match.

    Without this article, I would have guessed it was a PoS at one of the restaurants in the town where she attends college. So thanks, Brian!

    Haven’t seen the replacement card yet. Possibly there will be a letter enclosed with it that will give additional details. If so, then I will update this post.

    1. JasonR

      Doesn’t mean the CC couldn’t have been compromised at both GameStop.com and another location. The GameStop.com correlation could have just been the card-replacement triggering event.

  10. LisaMc

    What did they know and when did they know it, and why didn’t they tell their affected customers? They don’t just need a better security program, they need some ethics.

    1. somguy

      It appears they didn’t know until customers started having stolen card numbers used. In other words, the payment processors noticed a pattern.
      That is bad because it means gamestop isn’t paying enough attention to its internal network to find it on their own.
      That’s also why customers haven’t been notified, they haven’t figured out how the hackers got the information or what they took. Once they figured that out they will notify.

  11. Joyce

    My card was compromised on my grandsons computer now I have to purchase the a PSN card in the amount of $59 in order to open his account …. this was not my fault … I think there is undermining going on here

  12. Not telling my name

    I was literally thinking of gamestop today and this just popped up on my phone. I think I’m at risk. I have ordered online during this time frame I’m gonna go replace my debit card now

  13. Ryan

    I did make a purchase during that timeframe, so I went ahead and closed and reissued the credit card I used. Thanks for the heads up, Brian!

  14. Chris

    How can affected customers report this type of credit card theft? I think I was the victim of this, not at Gamestop but on another website. What I can I do other than reporting to my credit card company (they refunded the charges) and to the merchant (they did not respond)?

    1. JasonR

      There is really nothing you can do, beyond what you did in reporting the fraud charges and telling them you want a new CC# as the old one has been compromised. The legal logic here is that your bank is the victim here, not you. Your bank has to pursue the credit card processor. If it wasn’t for folks like Krebs, we often wouldn’t get confirmation of the dots being connected.

  15. Mike2

    I love how literate people seem to be anymore. The lack of understanding how things relate, such as what in direction interactions happen, shows in the lack of understanding language. Now people are saying that their cards got breached. NO!

    The server’s security, or a web site’s (not “sight”) security or database is what was breached. Look up the word in the dictionary. Your card numbers are what was taken, not the thing that was broken into/through.

    When we see a humpback whale pop out of the water vertically and slam down again, we call it breaching. What is it breaching? The water’s surface. Please learn to read properly and think.

    1. Cricket

      It’s ironic that you used “literate” instead of “illiterate”.

  16. John

    Just how many video games are sold by this company. They need to work on providing better security to their customers.

  17. tony Pelliccio

    This is interesting. It appears it was a man in the middle account if they’re capturing ccv data. I wonder how long it will be before we start seeing computers with chip card readers. Wait, some machines already read smart cards so they could read the chip too.

  18. Elijah Litscher

    Does it make any difference if you choose to “save” your credit card purchases for future purchases or not? In other words, if you choose not to save the info for future purchases, is your credit card information still compromised in cases like this?

    1. Lithops

      Actually, I think the majority of online vendors save your c.c. data by default! I became aware of this practice several yrs. ago when I placed an order with a company via their 800 number (Internet was down or something). In the past, I’d placed orders online, and the salesperson asked me if I wanted to use the same c.c. number that was “on file”!! Firstly, I complained, saying that I was NEVER ASKED if I’d WANTED that info. saved, and that I wanted my c.c. info. deleted from their system as soon as that last transaction had gone through! Since then, I’ve discovered 3-4 more online retailers had done the same thing!! And again, without asking or giving any sort of “opt-out” provision!!!

  19. Calvin Baskerville

    Does anyone know if the chip cards were affected? I thought this was the kind of stuff they were supposed to protect us from/ why all the retailers are converting over…

    1. Spanky

      They are saying gamestop.com was breached,not the stores, so manual entry rather than chip or swipe. Chips are moot for online purchases.

  20. Joshua

    Wonder if ebgames shares any of the same resources of gamestop…. Game stop owns ebgames and I know years ago if i remember correctly you had to go to gamestop site for ebgames.

  21. Randy

    Late 2015 someone gained access to my “reward points” using them to purchase games. It took a couple of months of dealing with Game Stop via email and phone calls to have the points returned to my account. I used them and refuse to deal with Game Stop again. They refused to tell me where or how the points were used IAW FCRA 609(e). Even after providing proof of being an ID theft/fraud victim in a federal investigation. Even explained how the criminals had opened an account with CONSUMERINFO.COM to monitor my credit reports in real time prior to opening accounts in my name. Some of this was done in NORVA , Richmond and Norfolk. Almost like the criminals were targeting military, NFCU, USAA (their rep stated that flew someone down to speak to their fraud unit), Pentagon CU, Housing Office at US Army post Fort Lee VA, Pass & ID office at Norfolk Naval Base, being hubs of activity. Most likely not related but willing to bet Game Stop was hacked to be able to steal my points. I saved the emails from dealing with them.

  22. Freya

    As the admin of this web page is working, no doubt very rapidly it will be well-known, due to its feature contents.

Comments are closed.