Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

350m Hot Topic customers have data allegedly posted online

In what is being called the largest retail data breach of all time, the personal data of 350 million customers of US fashion retailer Hot Topic was allegedly listed for sale online.

user icon Daniel Croft
Mon, 28 Oct 2024
350m Hot Topic customers have data allegedly posted online
expand image

As discovered by Israeli cyber firm Hudson Rock, on 21 October, a threat actor going by the name Satanic posted on a popular threat forum that they had exfiltrated a database they claimed contained the personal data of customers from the Hot Topic, Torrid and BoxLunch retail companies, all three of which were founded by the Hot Topic fashion brand.

Data reportedly includes names, birth dates, genders, physical addresses, emails, invoices, rewards data, previous transactions and payment details, such as the last four digits of customer credit cards, account holder names and hashed expiry dates.

Satanic requested that Hot Topic pay $100,000 for the removal of the post or $20,000 to purchase the data.

============
============

Hudson Rock said that it was possible info stealers could be involved in the breach, noting that a Hot Topic employee was infected by an info stealer on 12 September.

Additionally, Hudson Rock reached out to Satanic on Telegram asking if it was an info stealer breach, to which the threat actor said “it is, yes”.

Additionally, Hudson Rock said that the breach was likely the result of stolen credentials and the abuse of a lack of multifactor authentication (MFA) on a Snowflake account, as Satanic claimed.

“The stolen data from this breach  –  including personal information, payment details, and loyalty points  –  can be exploited by hackers for identity theft, financial fraud, and account takeovers,” said Hudson Rock.

“The scale of this breach not only threatens individuals but also undermines trust in the affected companies, making it a significant reminder of the risks posed by info stealer infections.”

Earlier this year, Hot Topic customer data was put at risk following a credential stuffing attack.

“Following a careful investigation, we determined that unauthorised parties launched automated attacks against our website and mobile application on November 18–19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source,” the company said.

It is unclear whether the old breach and the latest listed database are connected in any way.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.