The NutriBullet hack. An example of how a company could have avoided pain. Nutribullet has become the latest Magecart victim with skimmer code planted within their domain in order to steal customer financial data. RiskIQ published their research on Wednesday of this week, and it make very good reading.
You can read the research here.
Having read it, two questions immediately come to mind. Why did Nutribullet not respond to a responsible disclosure attempt by RiskIQ and how did they not spot it themselves? If they had responded, the NutriBullet hack surely would have had less impact on the business.
Receiving Responsible Disclosure
No one wants to have security issues, but in the constantly evolving connected world it will happen sooner or later. One thing that the NutriBullet hack clearly demonstrates if that if they had been listening, the hack would have been spotted a lot sooner. So why not embrace it and hear about issues from the good guys rather than get hacked and hear about it another way?
Security researchers, when they find an issue, will do their very best to communicate to the right person. So make it easy. Put a link in the footer of your website that links to page providing all the information the researcher needs to report it. For example, in our footer we have a link to our “Responsible Disclosure” page.