Credit card info stolen in BigFish Games site compromise

Seattle-based casual gaming company Big Fish Games has has its site and personal and financial information of some of its users compromised in an attack that started on last Christmas Eve.

“An unknown criminal installed malware on the billing and payment pages of our website that appears to have intercepted customer payment information,” the company CTO, Ian Hurlock-Jones, explained in a notification letter sent out to potentially affected customers.

“Your information may have been affected if you entered new payment details on our websites (rather than using a previously saved profile) for purchases between December 24, 2014 and January 8, 2015. Your name, address, and payment card information, including the card number, expiration date, and CVV2 code, may have been among the information accessed.”

The compromise has been discovered by the company itself on January 12, 2015, and the notification letter has been sent out a month later, on February 11.

Hurlock-Jones says that they have removed the malware and took the necessary steps to prevent it from being reinstalled on the site. Law enforcement, credit reporting agencies, and payment card networks have been notified of the breach.

Affected customers have been offered a free one-year membership to an identity protection service, and have been urged to monitor their payment account records for fraudulent transactions.

Given that the compromised information possibly includes card numbers, expiration dates, and CVV2 codes, the criminals behind this hit could use the stolen data to perform card-not-present transactions.

Big Fish Games was founded in 2002, and (self-reportedly) has distributed more than 2.5 billion games to customers in 150 countries. It is unknown how many customers were affected by this compromise, but it seems that the attackers haven’t managed to access the company’s user databases.