Share this article on:
About 57 million customers of US retail chain Hot Topic have been informed that their data may have been compromised in an alleged cyber attack.
Last month, a threat actor going by the name Satanic posted on a popular threat forum that they had exfiltrated a database they claimed contained the personal data of customers from the Hot Topic, Torrid, and BoxLunch retail companies, all three of which were founded by the Hot Topic fashion brand.
Satanic requested that Hot Topic pay $100,000 for the removal of the post or $20,000 to purchase the data. They have since lowered the sale price to $4,000
About 350 million customers were allegedly affected in the incident.
Now, Have I Been Pwned (HIBP) issued a warning to 56,904,909 Hot Topic, Box Lunch, and Torrid customers whose accounts were reportedly affected in a breach discovered last month by Israeli cyber firm Hudson Rock.
HIBP said the stolen data includes first names, last names, birth dates, phone numbers, physical addresses, email addresses, purchase history and partial credit card information.
In its earlier reports, Hudson Rock said that it was possible info stealers could be involved in the breach, noting that a Hot Topic employee was infected by an info stealer on 12 September.
Additionally, Hudson Rock reached out to Satanic on Telegram asking if it was an info-stealer breach, to which the threat actor said: “It is, yes”.
Furthermore, Hudson Rock said the breach was likely the result of stolen credentials and the abuse of a lack of multifactor authentication (MFA) on a Snowflake account, as Satanic claimed.
“The stolen data from this breach – including personal information, payment details, and loyalty points – can be exploited by hackers for identity theft, financial fraud, and account takeovers,” said Hudson Rock.
“The scale of this breach not only threatens individuals but also undermines trust in the affected companies, making it a significant reminder of the risks posed by info stealer infections.”
Earlier this year, Hot Topic customer data was put at risk following a credential stuffing attack.
“Following a careful investigation, we determined that unauthorised parties launched automated attacks against our website and mobile application on November 18–19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source,” the company said.
It is unclear whether the old breach and the latest incident are connected in any way.