Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Have I Been Pwned says 57m affected in Hot Topic data breach

About 57 million customers of US retail chain Hot Topic have been informed that their data may have been compromised in an alleged cyber attack.

user icon Daniel Croft
Tue, 12 Nov 2024
Have I Been Pwned says 57m affected in Hot Topic data breach
expand image

Last month, a threat actor going by the name Satanic posted on a popular threat forum that they had exfiltrated a database they claimed contained the personal data of customers from the Hot Topic, Torrid, and BoxLunch retail companies, all three of which were founded by the Hot Topic fashion brand.

Satanic requested that Hot Topic pay $100,000 for the removal of the post or $20,000 to purchase the data. They have since lowered the sale price to $4,000

About 350 million customers were allegedly affected in the incident.

============
============

Now, Have I Been Pwned (HIBP) issued a warning to 56,904,909 Hot Topic, Box Lunch, and Torrid customers whose accounts were reportedly affected in a breach discovered last month by Israeli cyber firm Hudson Rock.

HIBP said the stolen data includes first names, last names, birth dates, phone numbers, physical addresses, email addresses, purchase history and partial credit card information.

In its earlier reports, Hudson Rock said that it was possible info stealers could be involved in the breach, noting that a Hot Topic employee was infected by an info stealer on 12 September.

Additionally, Hudson Rock reached out to Satanic on Telegram asking if it was an info-stealer breach, to which the threat actor said: “It is, yes”.

Furthermore, Hudson Rock said the breach was likely the result of stolen credentials and the abuse of a lack of multifactor authentication (MFA) on a Snowflake account, as Satanic claimed.

“The stolen data from this breach  –  including personal information, payment details, and loyalty points  –  can be exploited by hackers for identity theft, financial fraud, and account takeovers,” said Hudson Rock.

“The scale of this breach not only threatens individuals but also undermines trust in the affected companies, making it a significant reminder of the risks posed by info stealer infections.”

Earlier this year, Hot Topic customer data was put at risk following a credential stuffing attack.

“Following a careful investigation, we determined that unauthorised parties launched automated attacks against our website and mobile application on November 18–19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source,” the company said.

It is unclear whether the old breach and the latest incident are connected in any way.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.