Advertisement

Internet ‘bazaar’ announces it’s selling card data stolen in Hy-Vee data breach


Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Information from more than 5.3 million debit and credit cards stolen during a data breach at Hy-Vee went on sale this week at a site that traffics in stolen card data, according to security reporter Brian Krebs.

“According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name ‘Solar Energy,’ at the infamous Joker’s Stash carding bazaar,” Krebs reported on Thursday.

Hy-Vee announced last week that it was investigating a potential data breech at its fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). The company said in-store purchases, including those made at the supermarket’s check-out registers, were unaffected, because those transaction were conducted using a system with more sophisticated encryption.

“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs said. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”

According to Krebs, the stolen card data for sale belongs to people living in 35 states.

Krebs — who reported on internet security for the Washington Post for more than a decade, before creating his own news site, Krebs on Security — has reported extensively on Joker’s Stash.

Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.

Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are ‘exclusive, self-hacked dumps.’

‘This mean [sic] – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,’ Joker’s Stash explained on an introductory post on a carding forum in October 2014.

A Hy-Vee spokesperson told Krebs, “We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts.”

A spokesperson for the Iowa Attorney General told the Des Moines Register on Friday that Hy-Vee had not yet contacted the AG’s office. State law requires any company experiencing a data breach that affects 500 or more customers to contact the AG’s office.

Hy-Vee told both Krebs and the Register that it is continuing to investigate the data breach.


[gravityform id="17" title="false" description="false" ajax="true"]
<div class='gf_browser_unknown gform_wrapper your-village-form_wrapper' id='gform_wrapper_17' ><a id='gf_17' class='gform_anchor' ></a><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_17' id='gform_17' class='your-village-form' action='/internet-bazaar-announces-its-selling-card-data-stolen-in-hy-vee-data-breach/#gf_17'> <div class='gform_body'><ul id='gform_fields_17' class='gform_fields top_label form_sublabel_below description_below'><li id='field_17_7' class='gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible' ><h3 style="font-weight:800; font-size:34px;">Let's get started</h3> <p style="font-size:18px;">Fill out this form and we'll contact you with information about marketing with Little Village!</p></li><li id='field_17_4' class='gfield field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label gfield_label_before_complex' for='input_17_4_3' ></label><div class='ginput_complex ginput_container no_prefix has_first_name no_middle_name has_last_name no_suffix gf_name_has_2 ginput_container_name gfield_trigger_change' id='input_17_4'> <span id='input_17_4_3_container' class='name_first' > <input type='text' name='input_4.3' id='input_17_4_3' value='' aria-label='First name' tabindex='2' aria-invalid="false" placeholder='First name'/> <label for='input_17_4_3' >First</label> </span> <span id='input_17_4_6_container' class='name_last' > <input type='text' name='input_4.6' id='input_17_4_6' value='' aria-label='Last name' tabindex='4' aria-invalid="false" placeholder='Last name'/> <label for='input_17_4_6' >Last</label> </span> </div></li><li id='field_17_5' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_17_5' ><span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_5' id='input_17_5' type='text' value='' class='large' tabindex='6' placeholder='Company name' aria-required="true" aria-invalid="false" /></div></li><li id='field_17_3' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_17_3' ><span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_email'> <input name='input_3' id='input_17_3' type='text' value='' class='large' tabindex='7' placeholder='Your email address' aria-required="true" aria-invalid="false"/> </div></li><li id='field_17_8' class='gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_' ><label class='gfield_label' for='input_17_8' >Name</label><div class='ginput_container'><input name='input_8' id='input_17_8' type='text' value='' /></div><div class='gfield_description'>This field is for validation purposes and should be left unchanged.</div></li> </ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_17' class='gform_button button' value='SUBMIT' tabindex='8' onclick='if(window["gf_submitting_17"]){return false;} window["gf_submitting_17"]=true; ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_17"]){return false;} window["gf_submitting_17"]=true; jQuery("#gform_17").trigger("submit",[true]); }' /> <input type='hidden' name='gform_ajax' value='form_id=17&amp;title=&amp;description=&amp;tabindex=1' /> <input type='hidden' class='gform_hidden' name='is_submit_17' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='17' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_17' value='WyJbXSIsIjlmNzc1YTEyZmZjNmYyODk5Mzk0NDM3ZjRlOGYyZDNmIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_17' id='gform_target_page_number_17' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_17' id='gform_source_page_number_17' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="50"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_17' id='gform_ajax_frame_17'>This iframe contains the logic required to handle Ajax powered Gravity Forms.</iframe> <script type='text/javascript'>jQuery(document).ready(function($){gformInitSpinner( 17, 'https://littlevillagemag.com/wp-content/plugins/gravityforms-asdf111aasdfffs-nope/images/spinner.gif' );jQuery('#gform_ajax_frame_17').load( function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_17');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_17').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;if(is_form){jQuery('#gform_wrapper_17').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_17').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_17').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_17').offset().top); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_17').val();gformInitSpinner( 17, 'https://littlevillagemag.com/wp-content/plugins/gravityforms-asdf111aasdfffs-nope/images/spinner.gif' );jQuery(document).trigger('gform_page_loaded', [17, current_page]);window['gf_submitting_17'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_17').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_17').offset().top);jQuery(document).trigger('gform_confirmation_loaded', [17]);window['gf_submitting_17'] = false;}, 50);}else{jQuery('#gform_17').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [17, current_page]);} );} );</script><script type='text/javascript'> if(typeof gf_global == 'undefined') var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2},"base_url":"https:\/\/littlevillagemag.com\/wp-content\/plugins\/gravityforms-asdf111aasdfffs-nope","number_formats":[],"spinnerUrl":"https:\/\/littlevillagemag.com\/wp-content\/plugins\/gravityforms-asdf111aasdfffs-nope\/images\/spinner.gif"};jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 17) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} );</script><script type='text/javascript'> jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [17, 1]) } ); </script>