Website peddling 26 million stolen credit and debit cards got hacked

Not even professional digital fraudsters are immune to getting hacked.

This was made abundantly clear today following a report by Krebs on Security that an online shop offering approximately 26 million stolen debit and credit card numbers for sale was itself the victim of a hack. And, perhaps best of all, the site's entire purloined library might have been tainted in the process.

Krebs on Security notes that the carding site in question, BriansClub, appears to have gathered its stolen card numbers over the course of the past four years from both online and physical retail stores. The site's FAQ page explains that it "[sells] the dumps (track2/track1) with country, state, city, zip information (optional) and CVV2 cards."

Track 1 and Track 2 refer to different bits-per-inch encoded data on credit cards' magnetic stripes.

Original image has been replaced. Credit: Mashable

According to Brian Krebs, the noted cybersecurity reporter who runs Krebs on Security, last month he was sent a file allegedly containing BriansClub's entire database of stolen cards. Some of the cards in the file matched redacted versions on sale at BrainsClub, lending credence to the claim that the file was legitimate.

This hack might have simply been a reminder that nothing online is secure — even sites designed to thrive off that insecurity — were it not for what came next.

"All of the card data stolen from BriansClub," writes Krebs, "was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground."

In other words, there is a decent chance that a large percentage of these card numbers are now flagged as having been compromised.

To make this entire situation even more ridiculous, BriansClub was reportedly named after Brian Krebs as some sort of joke.

Notably, for all those stressing carde out there, BriansClub does claim to offer refunds. "For invalid cards you will get refund immediately," reads the site's FAQ.

We reached out to the BriansClub site admin via its support ticket page for comment on the alleged hack and the possibility that its cards are now worthless. We received no immediate response.

Perhaps whoever runs BriansClub is too busy processing refund requests.