Sadly it seems the BaT database has been lifted and you might receive emails and/or texts offering a free trackday. It will forward you to https://www.bookatrack-offers.com with an offer code to get you to fill in loads of details you really shouldn’t (and probably have the sense to not bother).
However the more serious bit is this, your BaT user details have been lifted, including the password you used, your address, email address and of course name. If you use this password elsewhere, especially if you use it for your email then you should change the key accounts passwords now.
What’s more scary with this attack is that it’s an actual person behind it rather than a botnet automated jobby, who has taken the time to setup a look-a-like page and actually register a domain, and the english is fine too. With that in mind, they do have all the details you’ll see on the link.
This 99% isn’t book-a-tracks fault, sites are made up of so many layers of IT systems and code each with their own vulnerabilities and really their site will be designed and maintained by a 3rd party company. However really websites are like cars on track, assume what’s in front of you is driven / coded by a numpty so always use a different password for each site you use, and really this can’t be “MySecurePassword+BAT” they’ll guess that your exiges account is probably “MySecurePassword+exiges”.
I also got the dodgy text and have scurried around changing a few passwords for sites, looked dodgy right from the off but didn’t have the time to look properly. I got a text from BaT within an hour or so of the scam text coming so Jonny was definitely on the ball
My card details were used to buy stuff on line last week, same card used to book track day, coincidence? had to cancel and get new card should i tell bookatrack?
I think this is too much of a coincidence. My Card was done as well and this was the card used for Book-a-Track. I never confirmed my card details after the booking so didn’t take part in scam website. Plus my account is new from January so unlikely to get data from old setup depending on migration date.
Over 1K of stuff and have just phoned them to dispute/stop the card.
Strongly suggest everyone checks over your accounts
hi all, just a quick update (utterly swamped in the office as you can imagine).
we advised our merchant provider of the data breach immediately and it looks like as a precaution they are contacting the card issuing banks to reissue all cards used by BaT clients. this does not necessarily mean your card has been compromised. Jason - your booking was put through BaT in December - if you are sure the card was new in January then it couldn’t be BaT could it?
as an aside, my own personal card was cloned last month too - but i’ve never used that through the BaT site.
will be posting another update once things have quietened down.
No card details are stored on the BaT server. If you click “remember my card details” - they are stored at the merchant provider (Secure Trading) and BaT just use a unique token if/when you ever want to re-charge the same card.
So if I understand this correctly, your card can only be abused if you follow the rogue link for the “free day” & then enter the card details yourself? In other words, if I don’t try to book a free trackday then I’m okay?
