Over 5 Million Credit Cards Leaked Online After Hy-Vee Supermarkets Data Breach

In mid-August, a large amount of credit card credentials was put up for sale on the underground web. The credentials were reportedly stolen from various hacked facilities belonging to Des Moines-based supermarket chain Hy-Vee.

In mid-August, Hy-Vee officially announced that it suffered a security breach and data was extracted, including customer information processed by the electronic systems used by some Hy-Vee gas pumps and drive-thru restaurants. As of the announcement, the company had not yet determined the exact scope of the breach or its starting point.

The usual approach bad actors use in this sort of scenario is the remote installation of malicious software on the devices that process customer payments. This malware is used to scrape the information stored on the credit card and the data is then used to produce fake credit cards using the stolen credentials.

On the bright side, Hy-Vee reported that no data was stolen from card terminals used in the chain's grocery, pharmacy or convenience stores. Those terminals use different software and employ encryption that makes card data essentially unreadable by a third party.

Allegedly, the data dump containing the stolen credit card information is being sold as the "Solar Energy breach" on underground marketplace Joker's Stash. The stolen credentials are on sale, with a single fake card sold for an average of $25. Meanwhile, Hy-Vee stated that they are already working with payment processing service vendors and card networks to quickly spot the problematic cards.

Security researchers have been monitoring a slow change in the activity of cyber criminals who go after credit card credentials, with bad actors gradually shifting their attention from huge chains such as Target to smaller and potentially less protected systems operated by smaller retailers.