A 25-year-old hacker stole more than $80,000 worth of goods from Nike by exploiting a weakness in their online stores.
According to the federal indictment, “Case agents with the United States Secret Service and United States Postal Inspection Service received information from a representative of Nike that computer accounts provided by Nike to contract client-athletes had been fraudulently accessed and used to order Nike merchandise.”
Behind the above legalese is a far more interesting story. Brad Stephenson is a former college baseball player who learned something interesting from his associations with professional athletes: Nike allows some athletes to order merchandise for free. These elite-athlete accounts are for some of Nike’s most prominent client athletes. Stephenson managed to have himself listed as “guest” of 12 of these special accounts and had merchandise shipped to various addresses in the US. He was able to use the vulnerability for five months before he was caught.
When federal agents came serve him with a search warrant the day after his 25th birthday, they only recovered 231 items worth a little more than $17,000. Court documents indicate that the Stephenson gave the rest of the items away as gifts or sold them on sites like EBay.
Nike has not released the names of the players whose Nike Elite accounts were hacked. When the players were questioned by agents, they reportedly responded that they were unaware of the breach.
Stephenson was indicted with one count of computer fraud and struck a plea deal after agreeing to help Nike fix the weaknesses in their system. He has reportedly written a book where he discusses how he was able to hack Nike and divulges the names of the players whose elite-athlete account he compromised.
Pictures posted on a sports-themed site run by Stephenson, show Stephenson at multiple events with B.J. Upton and Justin Upton. B.J. Upton is a center fielder for the Tampa Bay Devil Rays, and Justin Upton plays for the Arizona Diamondbacks.
The site also shows a check from Stephenson to Justin Upton for $40,000. The date of the check is blacked out on the website. Nothing in the court filings indicate that the famous baseball brothers, the only brothers in Major League Baseball history to be picked in the first and second rounds of the draft, are under investigation. However, their closeness to Stephenson and the fact that Nike does sell products bearing the Uptons’ name (such as jerseys and t-shirts) suggests to some that their accounts were among the 12 that Stephenson used.
Protecting assets in online stores has become an increasing worry for retailers around the world. In the past week, NVIDIA reported that their online stores were hacked with tens of thousands of accounts compromised and a Russian hacker claims to have found a security weakness that will allow Apple iOS users to get around paying for upgrades to their applications.