Cyber Incident Victim: Bodybuilding.com

Bodybuilding.com detected a security breach in February 2019 that originated from a phishing email attack in July 2018. The company disclosed the incident in April 2019 after concluding an investigation with external forensic cybersecurity consultants. While investigators found no conclusive evidence of data exfiltration, they could not rule out unauthorized access to customer information stored on company systems. The breach potentially compromised personal details including names, email addresses, billing/shipping addresses, phone numbers, order histories, customer service communications, birthdates, and BodySpace profile information. Payment card data exposure was limited to the last four digits of stored cards for customers who opted to save payment information, with no full debit or credit card numbers impacted. Social Security numbers remained unaffected according to the forensic analysis.

In response, Bodybuilding.com initiated password resets for all customer accounts during their next login attempt and implemented additional security measures across their systems. The company engaged law enforcement and continued monitoring for unauthorized access while working to remediate vulnerabilities. Notification emails were sent to all current and former customers describing the incident's circumstances and advising recipients to manually change passwords and monitor accounts for suspicious activity. The disclosure emphasized precautionary measures given the inconclusive forensic findings, with no evidence confirming actual misuse of personal information at the time of notification.