Thanks Jonny, hope it all works out and soon for you mate.
Hmm, is all the cash being filtered into a secure Thai bank account 
I smell a rat 
I do believe you must be wrong as I don’t believe in coincidence. I was referring to to my Bookatrack account being opened just to attend national not my CC. The CC company have assured me they will fix this.
The only thing the people in this thread have in common who have had card compromised is their Trackday with BAT. Ultimately you were compromised last week sometime when the transaction happened on the victims. You then realised later on. I am not sure how they did it but they got the info.
I don’t want a reply just need to look at facts. Will leave it at that and trust you will come to logical conclusion.
While you’re hardening the site it’s probably worth moving of md5 encryption for your passwords. It’s now considered weak because it’s so easily brute forced running a cracker on modern GPU. Something like bcrypt it’s much much slower but the overhead is more than worth it as it makes brute force attempts way more CPU intensive and therefore too slow.
If they had root access to lift and old backup, then they’ll have also dumped the live db. Hashed or not, those passwords are in the wild.
The lesson really is for the end users, assume all sites will be compromised. Hell this one could be and no one would ever figure it out.
Thanks, Muu!
Are you using predictive text?
All the above is gibberish to me but I assume some techie folk on here will understand! Any chance of a translation?
Basically you need to have a password for each site that is totally unique without pattern and that limits the damage that can be done for a hack as with password they only have access to one site.
I personally use a random password generator for all site and keep this secure rotating my master password every 90 days, theirs a reason corporates do things like this 
Tools to help you manage this are:
http://passwordsafe.sourceforge.net/
Or if you trust online companies like lastpass, though this could easily be targeted as everyone know these passwords are store online.
Yea I use onepass then all my passwords are long strings of gibberish, unique to each site.
Recently started using a random string in my email address to, as gmail supports tags.
I don’t beleive in coincidences either and the forensic guys are looking into it. However, I challenge your comment about the only site in common being BaT. I have a family member and a friend who have never used the BaT site who have both had their cards cloned in the last month, too.
I am actually beginning to think this is a much bigger company than BaT that has been had. Amazon? Tesco?
Will see what the forensic guys come back with - they’re getting paid enough to find out I know that much!
Jonny
BaT