Cyber Incident Victim: SCUF Gaming International
Date:
Feb 2021
Location:
United States of America
Summary
SCUF Gaming International suffered a web skimming attack where threat actors compromised its online store using third-party vendor credentials, injecting malicious scripts to harvest customers' credit card details including names, numbers, expiration dates, CVVs, email addresses, and billing information. Over 32,000 individuals were impacted, with PayPal transactions unaffected. The company later disclosed a separate incident involving an exposed internal development database containing personal and payment records of over 1.1 million customers. Unusual activity alerts from its payment processor prompted an investigation leading to skimmer removal, though affected customers were advised to monitor accounts for potential fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 3, 2021, attackers compromised SCUF Gaming International’s online store by leveraging login credentials belonging to a third-party vendor, gaining unauthorized access to the company’s backend systems. The threat actors deployed a malicious JavaScript-based skimming script—a technique associated with e-Skimming or Magecart attacks—designed to harvest payment card details entered by customers during checkout. This script operated undetected for over six weeks, capturing cardholder names, email addresses, billing addresses, credit card numbers, expiration dates, and CVV codes from transactions processed between February 3 and March 16, 2021. On February 18, SCUF Gaming’s payment processor alerted the company to unusual activity involving credit cards used on its platform, prompting an investigation. The skimmer was identified and removed on March 16 following a forensic examination conducted with third-party specialists. SCUF Gaming confirmed PayPal transactions were unaffected, limiting the breach’s scope to direct credit card payments. The company later disclosed to the Office of the Maine Attorney General that 32,645 individuals were impacted by the incident.
SCUF Gaming initiated customer notifications in May 2021, advising affected individuals to monitor bank accounts for suspicious activity but clarifying that the communication did not confirm fraudulent transactions. The company recommended contacting card providers to request new payment card numbers as a precautionary measure. Separately, on April 10, 2021, SCUF disclosed an unrelated data breach involving an exposed internal development database containing over 1.1 million customer records with personal and payment information. No further details regarding the cause or timeline of this second incident were provided in the notification. The February-March skimming attack exemplified a targeted financial data theft operation, with stolen information likely intended for sale on carding forums or use in fraud schemes. Forensic efforts confirmed the attackers’ access was terminated upon skimmer removal, though the company did not specify whether additional security measures were implemented post-incident.