"Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases," said the company in a statement early Friday. "As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit-card companies we work with."
Sources inside the credit-card industry told ZDNet News that Egghead may warn up to 3.7 million credit-cards holders that their card numbers had been stolen.
In its October earnings release, Egghead put the total number of people registered to bid or buy using its service at 3.6 million.
The company said it has retained "security experts" to conduct an investigation, and also claimed to have contacted law enforcement officials.
But spokespersons for the Los Angeles and San Francisco bureaus of the FBI said they have yet to be contacted. The national FBI office refused to comment on the case.
Egghead (eggs) officials refused to respond to questions regarding the hack late Thursday night, and company executives reached by phone on Thursday also denied any break-in.
Given the numbers, the heist is, far and away, the largest credit-card database lost to cyberthieves so far.
A year ago, online music seller CD Universe lost more than 300,000 credit cards to a Russian thief, while earlier this month online credit-card clearinghouse Creditcards.com lost another 55,000.
Egghead's inability to determine how many of its customers had been compromised may mean that the company does not have a real-time auditing system in place, said Paul Robertson, senior developer for security service firm TruSecure Corp.
"If you don't know how many credit card numbers you lost, you are giving a quick, blanket, worst-case answer -- and then finding out what happened afterwards," he said.
Roberston said that Egghead.com is using Microsoft's Internet Information Server, a common e-business server, as the platform for its online service.
IIS is known to have had many security flaws. The two most common exploits are the remote data services flaw -- used often by "script kids" to deface Web servers -- and a relatively new Unicode exploit that can result in an attacker gaining complete control of the server.
However, Robertson said such holes should have been patched.
"It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."
ZDNet News' Patrick Houston contributed to this report. Online electronics and computer retailer Egghead.com acknowledged on Friday that the company's servers had been hacked by network intruders and an unnamed number of credit cards potentially lost.
"Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases," said the company in a statement early Friday. "As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit-card companies we work with."
Sources inside the credit-card industry told ZDNet News that Egghead may warn up to 3.7 million credit-cards holders that their card numbers had been stolen.
In its October earnings release, Egghead put the total number of people registered to bid or buy using its service at 3.6 million.
The company said it has retained "security experts" to conduct an investigation, and also claimed to have contacted law enforcement officials.
But spokespersons for the Los Angeles and San Francisco bureaus of the FBI said they have yet to be contacted. The national FBI office refused to comment on the case.
Egghead (eggs) officials refused to respond to questions regarding the hack late Thursday night, and company executives reached by phone on Thursday also denied any break-in.
Given the numbers, the heist is, far and away, the largest credit-card database lost to cyberthieves so far.
A year ago, online music seller CD Universe lost more than 300,000 credit cards to a Russian thief, while earlier this month online credit-card clearinghouse Creditcards.com lost another 55,000.
Egghead's inability to determine how many of its customers had been compromised may mean that the company does not have a real-time auditing system in place, said Paul Robertson, senior developer for security service firm TruSecure Corp.
"If you don't know how many credit card numbers you lost, you are giving a quick, blanket, worst-case answer -- and then finding out what happened afterwards," he said.
Roberston said that Egghead.com is using Microsoft's Internet Information Server, a common e-business server, as the platform for its online service.
IIS is known to have had many security flaws. The two most common exploits are the remote data services flaw -- used often by "script kids" to deface Web servers -- and a relatively new Unicode exploit that can result in an attacker gaining complete control of the server.
However, Robertson said such holes should have been patched.
"It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."
ZDNet News' Patrick Houston contributed to this report.
