5.3 Million Credit & Debit Cards On Sale at ‘Joker’s Stash’ Linked to the Hy-Vee Breach

Last updated August 23, 2019
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

KrebsonSecurity reports about a new package that is on sale at the Joker’s Stash which touts 5.3 million “perfect pure fresh dumps”. The details of the pack which is named “Solar Energy” talk about a nationwide breach that includes credit and debit card data from 35 U.S. states, as well as 100 different countries from the EU, Asia, and the Middle East. This brand new pack is linked with the recent Hy-Vee breach that we reported about four days ago, and which affected an unknown number of customers.

jstash-solar1

image source: krebsonsecurity.com

Hy-Vee is a supermarket chain company that operates more than 245 shopping points across the USA. The company discovered that their PoS units have been compromised, warning people who paid in their drive-thru restaurants, coffee shops, and the fuel pumps that their data was not encrypted and thus they should consider their credit and debit cards compromised. As the internal investigation of Hy-Vee is still ongoing and no further details have been published from their side yet, this breach came to disclose the actual number of the customers who have had their payment data exfiltrated from a malware that possibly infected the chain’s PoS system.

As these stolen cards are fresh and unused, they are sold for $17 to $35 each, with the buyer receiving a text file that contains the dump or dumps they paid for. The typical way to use this data is by encoding them onto the magnetic stripe of a blank “clone card”, and using an embosser to add the name of the real owner as well as the number of the card. Of course, online CNP (card not present) transactions on e-commerce platforms are also a possibility since the CVV codes have been leaked too, and PIN numbers are not available for all the dumps.

If you are a customer of Hy-Vee, you should monitor the activities of your account closely and report any suspicious charges that you don’t recognize to your financial institution. Remember, the US law on fraudulent transactions has you covered for $50 for each unrecognized charge, but if you’re using a debit card, the reporting has to be done within two days. If two days pass without reporting, the maximum consumer liability can reach to $500 during the first two months and enter “unlimited” mode after that. Of course, it all depends on the particular debit card issuer, but our advice is that you should not take your chances.

Are you a customer of Hy-Vee? Will you be trusting them again in the future? Let us know in the comments down below, and don’t forget to help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: