Hacked Payment Cards from WaWa Data Breach Now for Sale on the Dark Web

Hacked Payment Cards WaWa Data Breach Dark Web

Hacked Payment Cards from WaWa Data Breach for Sale on the Dark Web Marketplace Joker’s Stash – 30 Million Stolen Payment Cards from Philadelphia Based Wawa Convenience Stores and Fuel Pumps

Hacked Payment Cards from WaWa Data Breach are currently for sale on a dark web marketplace known as Joker’s Stash. According to cyber security research firm Gemini Advisory, which discovered the batch of stolen payment cards. The biggest concentration of cards for sale trace back to WaWa customer card use in Florida and Pennsylvania.

In December 2019, Pennsylvania-based WaWa announced it discovered that hackers had breached their payment processing servers. The hacker’s malware had been recording bank card and credit card numbers and sending the payment information to hackers since March 2019 until it was discovered in December. The payment card breach involved all 850 WaWa stores and potentially exposed 30 million sets of payment record making it one of the largest payment card breaches of 2019.

The payment cards went on sale Monday 28 January on dark web marketplace Joker’s Stash. The cache of cards is named “BIG BADABOOM-III” by Joker’s Stash. The database of stolen payment information includes over 30 million card accounts issued by thousands of financial institutions across more than 40 U.S. states.

Although about 30 million payment card numbers were stolen, Joker’s Stash is only selling 100,000 at this time. This is a common practice to keep the price of the stolen card information up. Hackers usually release stolen data in batches.

What Happened in the WaWa Data Breach?

Wawa says discovered the data breach on 10 December 2019 and halted the malware attack on 12 December. However, the payment card skimming malware is believed to have been living on WaWa Point-of-sale terminals in stores and at fuel pumps since 04 March 2019. So, for nine months, the malware sent customer payment card numbers back to hackers from WaWa registers. Hacked information included debit and credit card numbers, expiration dates, and cardholder names. The breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card or four-digit code for American Express cards)

What is the Dark Web?

The dark web is another part of the internet that the average internet user never uses. The visible, everyday portion of the web that that average user accesses is referred to as the clear web or surface web. The dark web is associated with criminal activity such as selling stolen payment information, illegal drug trafficking, and weapons sales, and hacking tools. It’s known as a place for hackers and is only accessible with special web browsers like Tor Browser.

The dark web is not to be confused with the deep web. The deep web is another part of the web that is not indexed by standard web search engines like Google and Bing. Web pages on the deep usually need login credentials to access their contents. For example, your email, bank account, and news subscription website are accessible only by logging in with a username and password. They are part of the deep web.

How is Hacked Payment Information Used?

Hacked payment information is used to help establish an identity, reproduce physical payment cards, or card numbers can be sold in on dark web marketplaces in large databases after large data breaches such as the WaWa breach. Hackers sell large databases of stolen payment information at Joker’s Stash and other marketplaces. According to Gemini, “The median price of US-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.”

Hackers may also use the stolen payment information to reproduce physical cards which can also be sold or used for expenses. However, hackers may also use stolen payment information for other scams such as identity theft, tax theft, or medical fraud

What is Joker’s Stash?

Joker’s Stash is an online dark web marketplace that sells stolen credit cards. It first appeared in 2014 and has become a popular marketplace for stolen credit cards from online and physical transactions. Stolen payment information includes cards hacked from Hy-Vee supermarkets in the Solar Energy breach, the Davinci breach, and over one-million cards from banks in India. Joker’s Stash goods for sale now include personally identifiable information including social security numbers.

How Hackers Make Money Illegally

How Hackers Make MoneyHackers make money illegally by stealing data, login credentials, and payment information from victims. Some hackers work at the behest of governments and steal data and sensitive corporate trade secrets, and government information as a full-time job. Other hackers develop malware that they sell on the dark web to other hackers. Hackers use malware to make money illegally by stealing payment information like credit cards, debit cards, and login credentials to financial accounts.

With stolen credentials, hackers can transfer money away from the victim’s bank or produce duplicate credit cards with stolen payment information imprinted on them. They then use the cards to pay for purchases or may sell the cloned cards or stolen credit card numbers in large batches in online dark web marketplaces such as Joker’s Stash. They can also sell the duplicated physical cards to buyers on the street.

Large lists of hacked emails, usernames, and passwords are sold online on the dark web. The list can be sold to multiple buyers. People frequently use the same username email address and password combination across multiple online accounts. If a hacker can steal a set of login credentials to a social media account, they can often use it to log into more sensitive online accounts like banks and credit cards.

Hacker make money illegally by stealing yours. That’s why it’s always important to have a strong and unique password for every online account. If you cannot remember a unique password for each account, it’s best to use a password generator and vault.

What is WaWa?

Wawa, Inc. is a chain of convenience stores and gas stations located along the East Coast of the United States. The company was founded in 1964 in Folsom, Pennsylvania. The chain has 842 stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, D.C., and Florida and has a cult following of loyal customers.

My Payment Card Was Hacked What Do I Do Next?

Consumers are not liable for fraudulent credit card charges as long as they notify their bank of the fraud within a reasonable timeframe. Federal law protects consumers from paying for fraudulent credit card charges such as those from a payment card breach like WaWa.

Wawa is offering free credit monitoring services for customers involved in the payment card breach. The company says it will work with customers who have issues with their banks reimbursing them for fraudulent charges. United States Service personnel are entitled to free credit monitoring and credit monitoring services.

  1. Freeze Your Credit.
    Freezing your credit prevents anyone, including you, from opening up new credit accounts in your name. When you freeze your credit, it stops someone from using your stolen credentials from obtaining car loans, mortgages, new credit cards, or other lines of credit in your name. It also prevents credit line increases.
  2. Get Identity Theft Protection
    Wawa is offering free Identity Theft Protection, but you may want to get an enhanced version of identity theft monitoring covers all of your payment cards and banks.
  3. Review Payment Card Account Statements.
    Review bank statements and credit card statements to look for fraudulent charges. Hackers are actively selling payment cards from the WaWa Payment Card breach right now. The card numbers can be used to make purchases online or to clone physical cards to use in stores. Review your bank and credit card statements. Order a new card from your bank with a new set of numbers.
  4. Get a Credit Report.
    Order a copy of your credit report. All consumers in the United States are entitled to an annual free credit report from each of the three major credit reporting bureaus. Any time a credit application is denied, you are entitled to a free report from the reporting agency that turned down your application

  5. Use a Mobile Wallet to Pay in Stores.
    A mobile wallet is an encrypted way to pay with physical credit cards without having to swipe or dip the card in the POS reader. The card information is stored on your phone. Using a mobile wallet keeps your payment information safe because the full card information is not revealed to the retailer.
Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers