Sally Beauty Supply admitted that about 25,000 credit card numbers were compromised when they were hacked earlier this year, but there’s evidence that the breach was much, much larger than that. Security reporter Brian Krebs is the person who first reported the extent of the 2013 Target breach, and he thinks that there could be a lot more compromised numbers than Sally will admit. It could be eleven times as many.
Krebs looked at the breach from another point of view: the bizarro e-commerce world where bad guys and gals buy and sell ill-gotten credit card numbers. It’s interesting that right around the time that Sally’s systems were breached, about 280,000 fresh new credit card numbers hit the market. That market? The same site that sold credit card numbers taken from Target.
The real innovation of this vendor is that they provide ZIP codes for the cards, which allowed Krebs and an anonymous team of researchers to analyze the locations of cardholders and compare them to the locations of Sally stores. In that fresh batch of 280,000 cards for sale, the cardholder ZIP codes map closely to known locations of Sally stores, just as they did in the Target breach.
Why do card number sellers let customers shop by ZIP code? When it comes to stolen cards, buying local means it will take the bank longer to catch you. Aspiring thieves can buy cards that belong to victims close to where they live.
Spending at a store near where the cardholder lives doesn’t set raise fraud flags for banks the same way that spending at a store across the country or across the world would. They can encode the card number on the magnetic strip of a physical credit card and use them at big-box stores where cashiers never handle customers’ cards.
ZIP Codes Show Extent of Sally Beauty Breach [Krebs On Security]