hacker
hacker PeteLinforth/Pixabay

One of the largest and most popular online fitness stores, Bodybuilding.com, fell victim to a data breach that may have exposed customers' private and sensitive information. Hackers may have stolen customers' names, dates of birth, email addresses, billing/shipping addresses, phone numbers, order histories and more.

Although the firm is still unclear about whether the attackers gained access to customers' data, it has decided to err on the side of caution and is notifying current and former customers about the breach. Bodybuilding.com has already reset passwords for its customers and has also urged its users to immediately change passwords on their online accounts.

Bodybuilding.com said that it identified a suspicious incident in February 2019 and hired an independent security firm to investigate the unauthorized access in its IT systems. Investigators discovered that the breach was caused by a phishing email received by the firm's staff in July 2018.

“On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed,” Bodybuilding.com said in a statement. “Upon discovering the incident, we took steps to understand the nature and scope of the issue, and brought in external forensic consultants that specialize in cyber-attacks. We have engaged with law enforcement and are working with leading security experts to address any vulnerabilities and remediate the incident.”

Bodybuilding.com confirmed that customers' financial data, including credit and debit card numbers were not compromised in the breach since the firm does not store this kind of data. The firm also stressed that customers' Social Security Numbers remained safe as well.

“Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to insert the Bodybuilding.com FAQs URL into your browser and does not request your personal data,” Bodybuilding.com said.

Bodybuilding.com has over seven million users and its website receives over 30 million visitors in a month, ZDNet reported.