NutriBullet Data Breach – Class Action Investigation

Chimicles Schwartz Kriner & Donaldson-Smith LLP is investigating a potential data breach class action lawsuit against blender manufacturer NutriBullet. Reports indicate that criminal hacker group Magecart Group 8 planted malicious code (i.e., malware) on NutriBullet’s website which went undetected for months, resulting in the theft of credit card details and personal information from consumers.

Specifically, card-skimming malware planted on the NutriBullet website’s payment page stole credit card numbers, expiration dates, CVV codes, names, and addresses of unsuspecting blender buyers and sent it to a server under the control of cybercriminals. Although NutriBullet has not confirmed the window of the breach, data security researcher RiskIQ has indicated that customers who placed orders on NutriBullet’s website between February 20 and March 18 are likely to have been affected. According to reports, the sensitive data was then sold to other criminals on underground forums and the dark web.

RiskIQ independently discovered that NutriBullet’s website had been compromised in repeated malware attacks for many weeks, and attempted to notify NutriBullet of the breach.  Although NutriBullet has attempted to remove the malware, RiskIQ claims that the attackers continued to break back in and plant malicious code – suggesting that the attackers continue to exploit a way of compromising NutriBullet’s infrastructure.

In a public statement, NutriBullet acknowledged the issue and claimed the matter had been quickly resolved. NutriBullet commented: “Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach . . . . “The company’s IT team promptly identified malicious code and removed it.” These statements are at odds with RiskIQ’s investigationg.  According to RiskIQ, NutriBullet did not respond to multiple attempts to alert it about the issue until March 18. To date, NutriBullet’s plan for notifying impacted consumers remains uncertain.

If you used a debit or credit to make a purchase on NutriBullet’s website in February or March 2020, and think your personal financial information was compromised by this recent data breach, please contact the lawyers listed on this page.

(*) Indicates required field: When communicating with us through this site or otherwise in connection with a matter for which we do not already represent you, your communication may not be treated as privileged or confidential, and does not create an attorney-client relationship between you and our Firm.

Attorneys for this case:

Benjamin F. Johns
Mark B. DeSanto