Hot Topic confirms multiple new cyber attacks: customer data and payment information exposed online
Hot Topic customers may have fallen victim to a cyberattack when unknown actors tried to log into their accounts, the company has confirmed.
In a breach notification letter sent to its customers, which was later picked up by BleepingComputerAccording to the clothing retailer, unidentified threat actors were busy stuffing credentials on November 18-19 and November 25 last year.
Credential stuffing involves an attacker trying many username/password combinations against a service until one combination works. Automation is usually used to speed up the process.
User data collected
According to Hot Topic, certain Hot Topic Rewards accounts were accessed during that time (the company did not specify how many), prompting the subsequent investigation. The company doesn’t know who the attackers are, or whether they even managed to log into a notable number of accounts. They also said they don’t know where the attackers got the credentials, but are confident they didn’t get them from Hot Topic.
The breach notification letter was sent “out of an abundance of caution.”
If the threat actors managed to log into an account, they could have obtained the user’s full name, email address, order history, month and day of birth, and mailing address. Not much, but still enough to carry out some types of phishing or identity theft attacks.
Compromised users who have their credit card details stored on the platform don’t have too much to worry about, as only the last four digits of the card were visible, the company concluded.
Hot Topic has since reset users’ passwords and implemented countermeasures to protect both the website and app from credential stuffing attacks. External cybersecurity experts were also brought in, the company concluded.
Hot Topic has more than 600 stores in the US and Canada and employs more than 10,000 people.