Retail chain Hot Topic discloses wave of credential-stuffing attacks
American apparel retailer Hot Topic is notifying customers about multiple cyberattacks between February 7 and June 21 that resulted in exposing sensitive information to hackers.
Hot Topic is a retail chain specialized in counter-culture clothing and accessories, and licensed music, that has 675 stores across the U.S. It also operates an online shop with nearly 10 million visitors every month, according to data from SimilarWeb.
In a data breach notification today, the company explained that hackers used stolen account credentials and accessed the Rewards platform multiple times, potentially stealing customer data, too.
"We recently identified suspicious login activity to certain Hot Topic Rewards accounts," reads the notice.
"Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on February 7, March 11, May 19-21, May 27-28, and June 18-21, 2023, using valid account credentials obtained from an unknown third-party source."
by Hot Topic
The company says that the investigation determined that Hot Topic was not the source of the credentials but it could also not find the source.
As part of the security measures implemented after the attacks, Hot Topic added "specific steps to safeguard our website and mobile application from" credential-stuffing attacks.
"Credential stuffing" is a type of cyberattack that relies on users employing the same credentials on multiple online services. When a leak or data breach occurs, threat actors typically test those username and password pairs on various online services, hoping they get a successful login.
Hot Topic said that it could not discern between unauthorized and legitimate logins. As a result, it will notify all customers that had their accounts accessed during the cyberattacks.
The information that may have been exposed to hackers includes:
- Full name
- Email address
- Order history
- Phone number
- Date of birth
- Shipping address
- Four last digits of saved payment cards
The company has clarified that malicious access or exfiltration of the above information has not yet been verified, but it is notifying potentially breached account holders out of an abundance of caution.
Hot Topic also sends emails to impacted customers containing instructions on resetting account passwords, advising them to pick a strong and unique password.
If you are a Hot Topic customer, resetting your account credentials on other platforms where you might be using the same credentials would be wise.
Comments