Wacom says crooks probably swiped customer credit cards from its online checkout

Graphics tablet maker Wacom has warned customers their credit card details may well have been stolen by miscreants while they were buying stuff from its website.

We're told people's payment information was likely pilfered from the biz's online store between the end of November and early January, and that if you get a message from Wacom about this then consider yourself affected. If not, don't worry about it for now.

"While we are still investigating," the Japan-based manufacturer told punters in an email seen by The Register today, "we believe it may have occurred between November 28, 2024 and January 8, 2025.

"The issue that contributed to the incident has been addressed and is effectively being investigated. However, we are now writing only to customers who might have been potentially affected by this."

If you are one of the unlucky ones to get the mail, the digital art equipment slinger suggests the following:

The wording of the message suggests Wacom is aware of how the payment information was stolen, and has closed up whatever security weakness was involved. To us, it sounds as though someone was able to infect the maker's website with malicious code that skimmed people's card details and other info in real-time as they paid for things, and that this code exfiltrated that sensitive data to fraudsters to exploit.

There are other possibilities, such as Wacom logging sensitive payment info in a way that allowed miscreants to snatch it, but our money is on a payment page skimmer.

• Big brands among thousands infected by payment-card-stealing CosmicSting crooks
• Magento shopping cart attack targets critical vulnerability revealed in early 2022
• Cisco merch shoppers stung in Magecart attack

Wacom uses Magento for its e-commerce, which leads us to speculate someone exploited something like the CosmicSting vulnerability in that software to infect the dot-com's checkout pages and make off with netizens' credit card numbers.

Officially dubbed CVE-2024-34102, the now-patched flaw was used to steal bank card data as victims made purchases from over 4,000 online merchants in 2024, according to estimates.

The XXE (XML External Entity) vulnerability scores 9.8 out of 10 on the CVSS severity scale. Ray-Ban, National Geographic, Whirlpool, and Segway - among others - all had their web ordering pages infected via the flaw. At least seven criminal gangs were known to be abusing the bug in the wild, each using their own exploit implementations.

Wacom makes no mention of the number of people affected, nor who is thought to have carried it out and how. But the stated date range does make it look rather like the corp waited three weeks after discovering the intrusion to actually tell punters about it.

"We take the security of your personal information very seriously, and we are working diligently to resolve this issue," its email to customers concluded. "We will provide you with more information as it becomes available."

Wacom did not have any additional comment at time of going to press. ®