Cyber Incident Victim: Element Vape

Element Vape, a major online retailer of e-cigarettes, vaping devices, and related products operating in the U.S. and Canada, experienced a cybersecurity incident involving unauthorized credit card skimming code on its live website. Security researchers at BleepingComputer confirmed the presence of malicious JavaScript designed to harvest payment information from customers during checkout. Analysis of historical site snapshots indicated the skimmer was not present on ElementVape.com as of February 5, 2022, or earlier, suggesting the compromise occurred sometime between that date and February 18, 2022, when the investigation was published. The attack involved injecting six lines of code that loaded a malicious third-party JavaScript file (//weicowire[.]com/js/jquery/frontend.js) containing heavily obfuscated payloads. This script remained active on the production site until the day of disclosure, enabling the theft of sensitive customer data during online transactions.

The malicious JavaScript collected payment card details, email addresses, and physical addresses before exfiltrating the stolen information via a hardcoded Telegram bot API. The payload incorporated anti-reverse-engineering techniques to hinder analysis. While the exact method of initial compromise remains undetermined, this incident followed a previous 2018 data breach at Element Vape that exposed customer information and resulted in a 2019 class-action lawsuit. Upon notification by BleepingComputer through Zendesk support channels on February 18, Element Vape removed the skimming code the same day. Customers were advised to monitor their payment card statements for fraudulent activity due to potential data exposure. The company, which has operated since 2013 and expanded services through a 2021 partnership with PUDO Inc. for Canadian pickup locations, had not publicly disclosed technical details about the attack's scope or intrusion vectors at the time of reporting.