Retail Chain Hot Topic Discloses Wave of Credential-Stuffing Attacks

American apparel retailer Hot Topic is notifying customers about multiple cyberattacks between February 7 and June 21 that resulted in exposing sensitive information to hackers.

Hot Topic is a retail chain specialized in counter-culture clothing and accessories, and licensed music, with 675 stores across the U.S. It also operates an online shop with nearly 10 million monthly visitors, according to data from SimilarWeb.

In a data breach notification today, the company explained that hackers used stolen account credentials and accessed the Rewards platform multiple times, potentially stealing customer data, too.

“We recently identified suspicious login activity to certain Hot Topic Rewards accounts,” reads the notice.

“Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on February 7, March 11, May 19-21, May 27-28, and June 18-21, 2023, using valid account credentials obtained from an unknown third-party source.”

The company states that the investigation confirmed Hot Topic was not the source of the credentials, but it was unable to identify the source.

As part of the security measures implemented after the attacks, Hot Topic has added specific steps to safeguard its website and mobile application from credential-stuffing attacks.

“Credential stuffing” is a type of cyberattack that relies on users employing the same credentials on multiple online services. When a leak or data breach occurs, threat actors typically test those username and password pairs on various online services, hoping to achieve a successful login.

Hot Topic acknowledges that it could not distinguish between unauthorized and legitimate logins. Therefore, it will notify all customers whose accounts were accessed during the cyberattacks.

The information that may have been exposed to hackers includes:

  • Full name
  • Email address
  • Order history
  • Phone number
  • Date of birth
  • Shipping address
  • Four last digits of saved payment cards

The company clarifies that malicious access or exfiltration of the above information has not yet been verified. However, it is notifying potentially breached account holders out of an abundance of caution.

Hot Topic is also sending emails to impacted customers containing instructions on resetting account passwords and advising them to choose strong and unique passwords.

If you are a Hot Topic customer, it would be wise to reset your account credentials on other platforms where you might be using the same credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *