"Retail Chain Hot Topic Hit by New Credential Stuffing Attacks"

Hot Topic recently announced that attackers targeted Hot Topic Rewards accounts in automated attacks using login information obtained from an unknown source.  The company said that it determined that unauthorized parties launched automated attacks against its website and mobile application on November 18-19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source.  The company noted that based on its investigation to date, they are not able to determine which if any, accounts were accessed by unauthorized third parties as opposed to legitimate customer logins during the relevant time periods.  Sensitive information that could've been exposed on compromised accounts includes affected customers' names, email addresses, order histories, phone numbers, months and days of birth, and mailing addresses.  Hot Topic says that breached Rewards accounts would have only allowed the attackers to access partial payment data, specifically the last four digits of the card number.  The retail chain worked with external cybersecurity experts after the November attacks to deploy bot protection software that should block such attacks in the future.

 

BleepingComputer reports: "Retail Chain Hot Topic Hit by New Credential Stuffing Attacks"

Submitted by Adam Ekwall on