iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
In what is being called the largest retail data breach of all time, the personal data of 350 million customers of US fashion retailer Hot Topic was allegedly listed for sale online.
As discovered by Israeli cyber firm Hudson Rock, on 21 October, a threat actor going by the name Satanic posted on a popular threat forum that they had exfiltrated a database they claimed contained the personal data of customers from the Hot Topic, Torrid and BoxLunch retail companies, all three of which were founded by the Hot Topic fashion brand.
Data reportedly includes names, birth dates, genders, physical addresses, emails, invoices, rewards data, previous transactions and payment details, such as the last four digits of customer credit cards, account holder names and hashed expiry dates.
Satanic requested that Hot Topic pay $100,000 for the removal of the post or $20,000 to purchase the data.
Hudson Rock said that it was possible info stealers could be involved in the breach, noting that a Hot Topic employee was infected by an info stealer on 12 September.
Additionally, Hudson Rock reached out to Satanic on Telegram asking if it was an info stealer breach, to which the threat actor said “it is, yes”.
Additionally, Hudson Rock said that the breach was likely the result of stolen credentials and the abuse of a lack of multifactor authentication (MFA) on a Snowflake account, as Satanic claimed.
“The stolen data from this breach – including personal information, payment details, and loyalty points – can be exploited by hackers for identity theft, financial fraud, and account takeovers,” said Hudson Rock.
“The scale of this breach not only threatens individuals but also undermines trust in the affected companies, making it a significant reminder of the risks posed by info stealer infections.”
Earlier this year, Hot Topic customer data was put at risk following a credential stuffing attack.
“Following a careful investigation, we determined that unauthorised parties launched automated attacks against our website and mobile application on November 18–19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source,” the company said.
It is unclear whether the old breach and the latest listed database are connected in any way.
Be the first to hear the latest developments in the cyber industry.
