Cyberattackers may have personal information of MLSgear.com shoppers
Malicious hackers used SQL injection attacks between January and August of last year to possibly breach the personal information of MLSgear.com's customers, which had been stored on the servers of a third-party vendor.
Although an unknown number of consumers were affected by the incident, Michael Sapherstein, MLS vice president and deputy general counsel, told New Hampshire Attorney General Kelly Ayotte that 169 of the affected individuals are residents of her state.
The cyberattackers may have accessed customer names, addresses, credit and debit card information and website passwords, Sapherstein said in a letter dated Feb. 1.
A SQL injection attack exploits a database-layer vulnerability in an application to access end-user information. Researchers at AVG warned last month of a SQL injection attack that, at one point, affected more than 70,000 websites, including several pages of CA's site and destinations on the .edu and.gov domains.
In response to the breach, the professional soccer league has purged all MLSgear.com passwords and terminated its relationship with the vendor, which was not named. The organization has also notified all affected online shoppers.
The attack was first reported Friday on privacy website PogoWasRight.org.
The league has offered affected individuals a year of free credit monitoring with Knoll Background America and has contacted the FBI, Visa, MasterCard and its credit card payment processor about the incident, according to Sapherstein's letter.
In a letter posted to the New Hampshire Justice Department's Consumer Protection and Antitrust Bureau website, MLS President Mark Abbott told end-users that they would have to create a new password when visiting MLSgear.com.