Hot Topic confirms multiple new cyberattacks — customer details and payment info exposed online

Passwords
Image Credit: Shutterstock (Image credit: Shutterstock)

Hot Topic customer may have been victims of a cyberattack when unknown actors tried to log into their accounts, the company has confirmed.

In a breach notification letter sent to its customers, which was later picked up by BleepingComputer, the clothing store said that unidentified threat actors engaged in credential stuffing on November 18-19, and November 25, last year. 

With credential stuffing, an attacker tries a large number of username/password combinations against a service, until one combination works. Automation is usually deployed to speed the process up. 

User data taken

According to Hot Topic, certain Hot Topic Rewards accounts were accessed during that time (the company didn’t specify how many), prompting the subsequent investigation. The company doesn’t know who the attackers are, or if they even managed to log into a noteworthy number of accounts. They also said they don’t know where the attackers got the login credentials from, but are certain they didn’t get it from Hot Topic. 

The breach notification letter was sent “out of an abundance of caution”.

If the threat actors did manage to log into an account, they would have been able to obtain the user’s full name, email address, order history, month and day of birth, and mailing address. Not a lot, but still enough to run some forms of phishing or identity theft attacks. 

Compromised users who saved their credit card details on the platform shouldn’t worry too much, as just the last four digits of the card were visible, the company concluded.

Hot Topic has since reset user passwords, and deployed counter-measures to protect both the website, and the app, from credential stuffing attacks. External cybersecurity experts were also brought in, the company concluded.

Hot Topic has more than 600 stores in the US and Canada, employing more than 10,000 people.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.