If you recently bought something from Tupperware.com, you may want to check your credit card statement. According to security researchers, the company’s website was hacked to secretly steal payment card numbers from customers.

On Friday, antivirus firm Malwarebytes noticed that Tupperware.com was hosting a "credit card skimmer,” which would activate during the checkout process. The skimmer works by creating a dummy payment form that’ll pass your credit card number, expiration date, and CVV code to a hacker-controlled internet domain.

The same skimmer will also collect your full name, billing address, and telephone number, giving the hackers all the information needed to make fraudulent credit card charges.

How the hackers compromised Tupperware.com remains unclear. But Malwarebytes found evidence the site is running an outdated version of Magento Enterprise, an e-commerce software platform that cybercriminal gangs often target.

In this case, the hackers hid their attack on Tupperware’s website by using an image PNG file that secretly contains malicious computer code. The PNG file itself pretends to be an FAQ image icon. However, it will also trigger the Tupperware site to load the dummy payment form during the checkout process.

According to Malwarebytes, there’s only one noticeable flaw to the attack. “The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages,” wrote company researcher Jerome Segura. “For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English.”

Malwarebytes has been trying to alert Tupperware about the credit card skimmer since the discovery. However, its attempts to reach out to the company via phone call, email, and social media have resulted in no response. So on Wednesday, Malwarebytes published a blog post about the credit card skimmer to warn the public.

“Following publication of the blog, we noticed that the malicious PNG file has been removed. This will break the skimmer,” Malwarebytes said in a follow-up tweet. “However, other artifacts remain present and a full security sweep will be necessary.”

Tupperware told PCMag it's removed the malicious code from the company's website and has launched an investigation into the hack. "We also contacted law enforcement. Our investigation is continuing and it is too early to provide further details. We anticipate providing all necessary notifications as we get further clarity about the specific timeframes and orders that may have been involved. We want to assure our customers that protecting their information is our top priority, and we will continue to work vigilantly to pursue this matter quickly to resolution," the company added.

According to Malwarebytes, the site was likely first breached on March 9.

Editor's note: This story has been updated with comment from Tupperware.

Further Reading

Security Reviews