AeroGarden maker says hackers stole months of credit card data

Bad news for home gardeners: criminals might have your credit card data.

AeroGrow, the maker of the at-home garden kit AeroGarden, said in a letter to customers that its website had credit card scraping malware for more than four months.

The company said anyone who bought something through its website between October 29, 2018 and March 4, 2019 had their credit card number, expiration date and card verification value — also known as a security code — stolen by the malware. In most cases, that’s all someone would need to make fraudulent purchases,

A letter to customers, as submitted to the California attorney general’s office (Screenshot: TechCrunch)

It’s the latest in a string of high-profile malware attacks targeting websites in the past year. Attackers often will find a vulnerability in the website running a company’s shopping cart and inject code that scrapes credit card data once it is entered into the form on the site. That data gets siphoned off and sent to a server controlled by the attacker. Because the code is running on the page, there’s no discernible or obvious way to tell if a website is affected.

One of the more well-known hacker groups includes Magecart, a collective of different hackers of varying skill sets, which attack websites large and small. In the past year, the hacker groups have targeted Ticketmaster, British Airways and consumer electronics giant Newegg — and many more.

AeroGrow didn’t say how many customers were affected. We’ve reached out and will update if we hear back.