PetSmart warns users to beware of possible cyber scams
PetSmart was forced to log people out of their accounts and reset their passwords due to an ongoing credential stuffing attack.
The US pet retail giant sent a security alert to its users telling them that an unknown threat actor was trying to log into people’s accounts via credential stuffing – an automated attack where the hacker tries infinite username and password combinations until they break into an account .
“We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised,” the breach notice said.
Using accounts for spam
With credential stuffing attacks, it is virtually impossible to distinguish between regular traffic (i.e. actual users logging into their account) and malicious traffic. So, just to be on the safe side, PetSmart decided to push everyone out and force a password reset.
“Instead, our security tools saw an increase in password guessing attacks on petsmart.com, and during this time your account was logged in. While the login may have been valid, we wanted you to know,” she added. To protect you and your account, we have disabled your petsmart.com password. The next time you visit petsmart.com, simply click the ‘Forgot your password’ link to reset your password.”
Credential stuffing attacks often work for two reasons: first, people often use weak and easy-to-guess passwords, which automated tools can easily crack; and second, some services offer their users unlimited login attempts, which is ideal for hackers with automation tools. Having access to different accounts may sound pointless, but hackers have ways to take advantage of it. For example, they can use the accounts to spread spam or malware to other users who are not expecting an attack from a familiar face.
PetSmart is considered one of the largest pet product retailers in the US, with more than 60 million customers.
Through BleepingComputer