The company, which was criticised for not acting immediately, admitted that the names, contact details, addresses, passwords and partial payment details of around 300,000 customers were stolen in a breach that occurred last week.
The cyber attack, which comes after a spate of high profile breaches involving the information of millions of customers, is the first in which a significant amount of financial information was seized by hackers reports The Telegraph.
Among the financial details taken were the name, expiry date, some digits of the card number and home address. Although the stolen data didn’t include CVV numbers – the security code on the back of the card – or all of the card number, the details are enough for fraudsters to steal money, according to experts.
Added to this, the hackers took email addresses and contact numbers of the customers.
The stolen information is allegedly for sale online for $100. It is not clear if this auctioned data includes credit card details, but the seller claims to have the records of nearly 500,000 people – significantly more than PayAsUGym’s estimates.
“The fact that there are 10 digits of the credit card number, name and address all available means the people who had accounts with the company really are exposed and should cancel their credit cards,” said Alastair Paterson, the chief executive of Digital Shadows. “It would be relatively easy for people with the information to re-engineer the details of those cards.”
Paterson’s warning comes after researchers at Newcastle University showed criminals could work out the card number, expiry date and security code of a Visa debit or credit card in as little as six seconds with guesswork.
As well as cancelling their cards, experts urged users to change their passwords and vigilantly monitor their bank statements for the foreseeable future.
“Some banks will continue to accept transactions even if the card has expired because there are some transactions can be delayed,” said Steven Murdoch, a security researcher at University College London. “I think if a card has been reported stolen it would be good for banks to prevent future transactions but not all do so.”
Customers should also be suspicious of unsolicited messages as they could become the target of phishing attacks.
PayAsUGym has been criticised for not taking enough care over its users’ data and for not acting quickly enough.
“We hacked into PayAsUGym two days ago, still no response from them,” a Twitter account with samples of the database said last week.
The company warned customers about the hack on Thursday but denied any payment information had been taken and said all passwords were encrypted.
Professor Alan Woodward, a researcher at Surrey University, said: “The bottom line is no credit card information, be it partial or otherwise, should be stored with your other details.”
He added that it was unlikely the information was stored in separate places as hackers normally act on a “smash and grab” basis.
“They could well have stolen two lots of data but I think that’s unlikely,” he said. “Normally these hacks are smash and grab – they’re in then they’re out and they look at what they’ve got.
“It’s difficult not to conclude the whole lot wasn’t stored together. I’ve got a bad feeling about it.”
Both the Twitter account that alerted PayAsUGym of the breach and the user selling the information on the dark web are “credible” according to Digital Shadows. The seller, who goes by the name “doubleflag”, has also been linked to data stolen from Dropbox, LinkedIn, MySpace and Tumblr.
PayAsUGym said only 232 of the cards with details stolen included 10 digits, all of which were automatically added to the system in a recent upgrade. For the remaining 99 per cent of card details taken only four numbers were present.
“Once we were contacted by the hacker we responded responsibly and quickly. The hacker threatened to blackmail us. We contacted the police immediately who advised us not to respond to the hacker and, working with cyber security experts, we focused our attention on informing our customers, securing the system and changing servers. Customers were informed within two hours of us becoming aware that the breach included customer details,” the company said.
“Any of our customers that are concerned about this news should contact us immediately – we will be able to tell them exactly what data we hold for each individual.”