Internet ‘bazaar’ announces it’s selling card data stolen in Hy-Vee data breach

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Information from more than 5.3 million debit and credit cards stolen during a data breach at Hy-Vee went on sale this week at a site that traffics in stolen card data, according to security reporter Brian Krebs.

“According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name ‘Solar Energy,’ at the infamous Joker’s Stash carding bazaar,” Krebs reported on Thursday.

Hy-Vee announced last week that it was investigating a potential data breech at its fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). The company said in-store purchases, including those made at the supermarket’s check-out registers, were unaffected, because those transaction were conducted using a system with more sophisticated encryption.

“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs said. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”

According to Krebs, the stolen card data for sale belongs to people living in 35 states.

Krebs — who reported on internet security for the Washington Post for more than a decade, before creating his own news site, Krebs on Security — has reported extensively on Joker’s Stash.

Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.

Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are ‘exclusive, self-hacked dumps.’

‘This mean [sic] – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,’ Joker’s Stash explained on an introductory post on a carding forum in October 2014.

A Hy-Vee spokesperson told Krebs, “We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts.”

A spokesperson for the Iowa Attorney General told the Des Moines Register on Friday that Hy-Vee had not yet contacted the AG’s office. State law requires any company experiencing a data breach that affects 500 or more customers to contact the AG’s office.

Hy-Vee told both Krebs and the Register that it is continuing to investigate the data breach.

Thoughts? Tips? A cute picture of a dog? Share them with LV »

The Future is Unwritten

You look to Little Village for today’s stories. Your sustaining support will help us write tomorrow’s.


$10/mo or $120/year
The cost of doing this work really adds up! Your contribution at this level will cover telephone and internet expenses for one month at the LV editorial offices.


$20/mo or $240/year
$240 is enough to cover one month’s costs for sending out our weekly entertainment newsletter, The Weekender. Make a contribution at this level to put a little more oomph on your support and your weekend.


$30/mo or $360/year
(AUTO-RENEW) connects eastern Iowa culture with the world. Your contribution at this level will cover the site’s hosting costs for three months. A bold move for our boldest supporters!

All monthly and annual contributors receive:

  • Recognition on our Supporters page (aliases welcome)
  • Exclusive early access when we release new half-price gift cards
  • Access to a secret Facebook group where you can connect with other supporters and discuss the latest news and upcoming events (and maybe swap pet pics?) with the LV staff
  • Invitations to periodic publisher chats (held virtually for now) to meet with Matt and give him a piece of your mind, ask your burning questions and hear more about the future plans for Little Village, Bread & Butter Magazine, Witching Hour Festival and our other endeavors.