Magecart hackers have spent weeks lurking on NutriBullet’s website

The compromise was ongoing as of this article's publication, according to RiskIQ.
magecart NutriBullet
Magecart Group 8 has put a malicious piece of JavaScript on NutriBullet's three times. (Greg Otto/Scoop News Group)

A group of scammers using a pervasive hacking technique have spent weeks lurking on the website where NutriBullet customers entered their payment data, according to new findings from a cybersecurity vendor.

RiskIQ published research on Wednesday detailing how a hacking group, known as Magecart Group 8, snuck malicious code onto NutriBullet’s website to collect financial information from customers who purchased blenders and other products from the company. The attack began on Feb. 20 and continues today, despite an interruption between March 1 and March 5, RiskIQ said.

NutriBullet did not respond to multiple requests for comment. RiskIQ said its researchers have spent three weeks trying to contact the company without receiving a response. In a statement, NutriBullet thanked RiskIQ for uncovering the issue.

“The company’s IT team promptly identified malicious code and removed it,” a spokesperson said in an email. “We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution.”


“Magecart” is a blanket name for a hacking technique in which attackers insert a small amount of malicious code into the e-commerce payment process. Magecart groups rely on different techniques, with some compromising the payment system Magento, while others use advertisements or analytics software as an entry point into users’ data. British Airways, Ticketmaster, the alcoholic retailer BevMo and the housewares giant OXO are among the thousands of sites that have been affected.

NutriBullet markets its blenders as food processors, which are especially useful for converting fruits, vegetables and liquids into smoothies.

In this incident, Magecart Group 8 added a skimming tool to a JavaScript code library on NutriBullet’s website, according to RiskIQ. The same group previously hit the sleep companies Amerisleep and MyPillow, researchers said, while hackers have used the same technique to infiltrate more than 200 domains online. How much money the hackers stole as a result of this attack remains unclear.

RiskIQ determined that the first skimmer had been installed on Feb. 20, then removed by March 1. By March 2, scammers had built a new domain to steal data, then went down again, and appeared for the third time on March 10. It’s a cat-and-mouse approach researchers have observed before with Group 8 of Magecart, RiskIQ said.

“Their preferred tactic is focusing on individuals victims, avoiding the ‘shotgun approach’ many other Magecart groups take, where they compromise many sites at once and hope for at least one worthwhile victim,” the company said in its report Wednesday. “Instead, Group 8 attackers and skims specific sites they seem to cherry-pick for a particular purpose.”


The global law enforcement agency Interpol announced in January police had arrested three men in Indonesia accused of running a Magecart hacking ring, then using the stolen financial data to purchase electronics and luxury goods.

This story was updated March 18 at 1:10pm ET to include a statement from NutriBullet. 

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts