Apparel Retailer Suffers Data Breach via Credential Stuffing Bot Attack

Fraudsters accessed the rewards platform of clothing retailer Hot Topic impacting an unknown number of customers and compromising personally identifiable information (PII). The unauthorized account access was the result of credential stuffing attacks systematically attempted by bots able to access accounts that used the same email address and password combinations compromised in another data breach.

The cyber attacks occurred on multiple occasions between early February and late June of this year. The retailer reported the incident to consumers and filed a data breach notification with the state of California. Hot Topic determined that many accounts were accessed by using valid credentials obtained from an unknown third party source and sent a notification to all with a registered user account.

This is an all-too-common example of an account takeover (ATO) attack with lessons to be learned by both organizations and consumers. For organizations, this is a reminder that a user simply providing the correct password does not prove the true account holder is the one attempting to log in. More robust bot detection checks and other ATO risk management checks, such as considering an IP address or device ID, could’ve stopped this. Hot Topic stated that further security measures will be implemented as a result of the attacks with “specific steps to safeguard out website and mobile application from” such credential stuffing attacks.

For consumers, using the same email or username and password combination is an insecure practice, as credentials stolen in one data breach will inevitably be attempted elsewhere. Consumers who had their rewards account accessed may have also had their date of birth, phone number and other PII seen, and scraped, by the fraudsters.