The mobile virtual network operator (MVNO) Boom! Mobile was recently hacked. Ars Technica has a good article covering the incident.
A bit of malicious code was inserted in the checkout section of Boom’s website. Hackers used the code to skim payment information and credit card numbers from Boom’s customers. It looks like the malicious code was active for at least a few hours, possibly longer.
Boom’s website was running an outdated version of PHP. At this time, I don’t know what vulnerability the hackers took advantage of. I’m also unsure if this was an isolated incident or if Boom was affected by other security breaches.
I’m not sure Boom should have been handling its own payment processing. The carrier may have violated PCI DSS rules.
Update: A representative from Boom posted the following on Howard Forums:
Thanks for checking in.
boom MOBILE deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation. We have found that the malware was located only on our shopping cart at boom.us and not on any of our other sites such as myaccount.boom.us which is used by customers to manage their billing. We encourage customers who may have made a purchase from www.boom.us between 9/30/20 – 10/5/20 to take the necessary precautions with their credit card company. This incident did not compromise any boom MOBILE accounts, saved payment or autopay details. Our saved payment/autopay system does not store any bank information and was verified to be safe. The credit card processor provides us with a secure token than can only be used by boom! MOBILE from our secure server. We are committed to protecting your data & privacy. We are PCI compliant and do not store financial data on our servers. Our shopping cart provider has ensured us our site is safe and the malware has been removed.