cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hot Topic customer data potentially compromised following credential stuffing attack

US retail chain Hot Topic has disclosed that a cyber attack late last year has potentially resulted in the accounts of some of its customers being accessed and data possibly compromised.

user icon Daniel Croft
Tue, 02 Apr 2024
Hot Topic customer data potentially compromised following credential stuffing attack
expand image

The fast-fashion retail chain, known for catering towards an audience of “teens to young adults” with its alternative and “counterculture-related clothing and accessories”, has informed its customers that in November last year, it detected “suspicious login activity” on some of its customer rewards accounts.

“Following a careful investigation, we determined that unauthorised parties launched automated attacks against our website and mobile application on November 18–19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source,” the company said.

The attack described above is what is known as a credential stuffing attack, where a threat actor uses a dataset of known username and password combinations obtained in other attacks, and attempts to use them on another site or service, with an automated script continuously attempting to log in using the stolen credentials.


This attack’s efficacy depends on users’ tendency to reuse username and password combinations.

“Hot Topic was not the source of the account credentials used in these attacks,” added Hot Topic.

The retailer added that it is yet to determine whether any accounts were actually accessed in the credential stuffing attack, let alone if any information was accessed or compromised.

Hot Topic said that if accounts were accessed, the data that would have been accessible includes names, email addresses, phone numbers, birth dates, mailing addresses, and order history.

“Importantly, if you saved a payment card to your Hot Topic Rewards account, unauthorised parties would only have been able to view the last four digits of the card number,” it said.

Hot Topic said it has engaged third-party cyber security experts and has begun taking steps to secure its systems from future credential stuffing attacks.

It has also launched a forced password reset for its account users to hopefully make the dataset of credentials useless.

“Your privacy is of the utmost importance to us, and we sincerely regret any concern this incident may cause you. The security of your personal information remains a top priority at Hot Topic,” it said.

Credential stuffing is an unsophisticated attack that, while potentially effective, can be thwarted through basic cyber hygiene, such as using different usernames and passwords (or passphrases for added security).

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.