Vision Direct Reveals Data Breach

Popular European online contact lenses supplier Vision Direct on Monday revealed that customer data was compromised in a data breach earlier this month. 

Customers who ordered products or updated their information on the company’s UK website ( between November 3 and November 8 likely had their information stolen, the company said in a disclosure. 

The data became compromised when the users entered it on the website, and not from the Vision Direct database website. Thus, existing personal data previously stored in the database was not affected, the company explains.

The attackers were able to extract customer personal and financial details such as full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

Customers who made orders through PayPal did not have their PayPal accounts compromised, although other personal information, including name and address, might have been accessed.

Vision Direct says the breach has been resolved and that it has already taken the necessary steps to prevent further data theft. The company is also working with the authorities to investigate the incident. 

“Customers who logged into or created a new account between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November 2018 may have been affected. We advise any customersaid

In a discussion on Twitter, security researchers who looked into the incident revealed that the data was stolen via a Javascript keylogger placed on the website, similar to the numerous MageCart attacks that made the headlines over the past several months.

Vision Direct customer data was apparently stolen with the help of a fake Google Analytics script. The malware was served from, a fraudulent domain “hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor,” as security researcher Willem de Groot revealed in September. 

The g-analytics malware has already infected a large number of websites, the researcher revealed at the time. He had been tracking 15 different variations by early September, but the malware used on Vision Direct appears to be a different sample. 

While Vision Direct only mentioned as being compromised, de Groot pointed out on Twitter that the attack hit nearly a dozen of the company’s websites. 

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: