Skip to main content

Wawa data breach: Hacker is selling 30 million credit cards on the dark web

Credit card data from a security breach that affected an East Coast convenience store chain last year was discovered being sold in the corners of the dark web this week. The amount of data stolen makes it the third-largest credit card breach in history.

Wawa convenience stores announced the attempts to sell the data in a news release on January 28. According to the Gemini Advisory Board, a company that identifies cyberthreats, the credit card information was found on the website called Joker’s Stash marketplace and exposed customer data from 30 million cards. 

wallet with cash and cards
Lukas from Pexels

If the Wawa data breach did indeed affect 30 million people, it would make it the third-largest such breach. The 2013 Target breach affected 40 million sets of data, and the 2014 Home Depot breach affected the most customers, with 50 million sets of personal data.

Joker’s Stash titled the breach information as “BIGBADABOOM-III” and it reportedly went live on Monday. Gemini researchers were able to identify the information in the breach to be the same as the Wawa breach. Card information was reportedly being sold for between $17 and $210 per card. The low prices are due to the fact that customers have been aware of a credit card breach for over a month now, and could have already changed their credit card information. 

How to protect yourself from the Wawa data breach

Wawa is still encouraging people who were initially affected by last year’s data breach to stay vigilant in checking their credit card statements for any new fraudulent activity. 

Wawa originally made customers aware of the data breach in early December 2019. It reportedly affected more than 850 stores between March 4, 2019, and December 10, 2019. Wawa said that customers who used credit cards at those stores would have been affected by the breach. 

“We remain confident that the malware we discovered on December 10 was contained by December 12 and since that time has not posed a risk to our customers,” the company said in its news release. “We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers, or other personal information were involved.  This incident did not impact ATM transactions.”

Wawa is offering affected customers free identity protection and credit-monitoring services for one year. Those eligible must apply for the free services by February 28, 2020. 

Editors' Recommendations

Allison Matyus
Former Digital Trends Contributor
Allison Matyus is a general news reporter at Digital Trends. She covers any and all tech news, including issues around social…
Marriott data breach: What to know and how to protect your data
Marriott Hotel

Marriott says customers' names, addresses, phone numbers, and other personal details were accessed in a large data breach -- the second to hit the hotel chain in less than two years.

In a statement Tuesday, Marriott announced that the information was accessed using the login credentials of two employees at a franchise property at the end of February. Among the stolen data could be:

Read more
Hackers expose personal details of 10 million MGM hotel guests
russia hotel wi fi hack hacking hacker lifestyle pc keyboard

A major security breach has hit MGM Resorts hotels after the personal details of 10.6 million guests were posted on a hacking forum this week.

The stolen data belongs not only to regular tourists but also to celebrities, tech CEOs, and government officials -- among them Twitter CEO Jack Dorsey and Canadian singer Justin Bieber.

Read more
Facebook faces another huge data leak affecting 267 million users
mark zuckerberg speaking in front of giant digital lock

More than 267 million Facebook users’ IDs, phone numbers, and names were exposed to an online database that could potentially be used for spam and phishing campaigns. 

Security researcher Bob Diachenko uncovered the database, according to Comparitech. The database was first indexed on December 4, but as of today, December 19, it is unavailable. Comparitech reports that before the site was taken down, the database was found on a hacker forum as a downloadable file. 

Read more