Live: Samsung Unpacked Live Blog Samsung Unpacked: How to Watch New Wordle Strategy Nest vs. Ecobee Thermostat Best Deals Under $25 Fitness Supplements Laptops for High School Samsung QLED vs. LG OLED TV
Want CNET to notify you of price drops and the latest stories?
No, thank you

Hackers crack

The Internet retailer says a hacker accessed its computer systems, possibly exposing millions of credit card numbers. executives scrambled Friday to gauge how much of its 3.7-million-customer database had been stolen by intruders during an online theft, which experts believed happened the day before.

"We're in continuous crisis mode here," said a consultant from physical and electronic security firm Kroll Worldwide--the experts called in when Egghead discovered the intrusion on Thursday. The consultant asked not to be named.

On Friday, acknowledged that the company's servers had been hacked by network intruders and its customers' credit-card numbers potentially stolen.

" has discovered that a hacker has accessed our computer systems, potentially including our customer databases," the online electronics and computer retailer said in a statement early Friday.

"As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit-card companies we work with."

Sources inside the credit-card industry said late Thursday that Egghead had turned over the names of 3.7 million credit-cards holders, any number of whom whose data could have been compromised.

"It's unclear, how much, if any of that has been compromised, and we have provided this information to the credit-card companies as a precautionary measure," said Egghead spokeswoman Shoreen Maghame.

According to an October earnings release, 3.6 million customers had registered to bid on or buy products using Egghead's service. Thursday's precautionary measure suggests that the company considered its entire customer database to be at risk from the break-in.

Egghead co-chairman Jerry Kaplan said Friday there was "no evidence" to suggest that any of the credit cards had been taken. At the same time, he could not say for certain that the database had not been pilfered.

"Somebody broke into the Web site, that doesn't mean the customer data was compromised," Kaplan said.

A team of auditors called in by Egghead expect to know within the week whether any credit card data was compromised, Kaplan said. He knew of no complaints about bogus charges surfacing from Egghead customers.

On Thursday, Egghead executives denied any break-in, and company officials did not respond to requests for comment until later that night.

Friday morning, the company acknowledged the intrusion in an early-morning press release.

By late Friday morning, law enforcement sources confirmed that had contacted them and that they were investigating the case.

Analysts and industry watchers say the break-in highlights the general lack of security that companies have for their servers.

"Server protection is really out of control," said Avivah Liton of researchers Gartner Group. Given the numbers, the heist is, far and away, the largest credit-card database infiltrated by cyberthieves to date.

A year ago, online music seller CD Universe lost more than 300,000 credit cards to a Russian thief, while earlier this month online credit-card clearinghouse lost another 55,000.

Egghead's inability to determine how many of its customers had been compromised may mean that the company does not have a real-time auditing system in place, said Paul Robertson, senior developer for security service firm TruSecure Corp.

"If you don't know how many credit-card numbers you lost, you are giving a quick, blanket, worst-case answer--and then finding out what happened afterwards," he said.

Robertson said Egghead uses Microsoft's Internet Information Server, a common e-business server, as the platform for its online service.

IIS is known to have had many security flaws. The two most common exploits are the remote data services flaw--used often by "script kids" to deface Web servers--and a relatively new Unicode exploit that can result in an attacker gaining complete control of the server.

However, Robertson said such holes should have been patched.

"It really doesn't matter what Web server you are running...if you are not keeping up with patches, you're insecure."