It has been reported that Tuition website TrueFire has informed users that an “unauthorised person” had access to the company’s computer system, and specifically to unencrypted information that was entered into its website, for a period of over five months. TrueFire, which boasts over 1 million users worldwide, explained that even though it does not store personal information itself, the ‘unauthorised user’ had potentially been able to harvest sensitive customer information as it was being entered into the site.
The symptoms described sound just like a normal Magecart attack, or at least based on the same setup. If the company have been leaking credit card details they do themselves need to implement a payment flow, and the sites should have been tested for PCI compliance, so it will be interesting to see where this goes if the issue has been present for a substantial amount of time.
As always, it is unfortunate to hear when a website has been breached and user data has been compromised. As there is no saying what will happen with the accessed data or what has already happened, I would urge every user to call their bank/ credit card company and find out what the next steps should be going forward. One appropriate action might be the cancellation and replacement of the credit card with a new one.
Furthermore, I would recommend that users change their passwords. Changing passwords every now and then not only serves as a good precaution, but also a good habit to have. However, it is important that users do not solely change their password on the breached site. Rather, instead of using the same password across several accounts as people tend to do, make sure to use a different password for each site.
As there are many services that use your name, address and a credit card number as proof of identification, be on the lookout for attempts at identity theft. Talk to your bank/credit card company to see if they can give you a list of all the occasions when attempts were made to use your credit card. As previously mentioned, credit cards are not only used for payments. As such, it would also be ideal to change any pins or online passwords that are connected to the card in order to prevent further damage.