Millions of Hot Topic shoppers have data stolen by "Satanic" hacker

Shadowed hands on a digital background reaching for a login prompt.

Image Credit: Shutterstock (Image credit: Shutterstock)

Cybersecurity researchers from Hudson Rock claim the world has just witnessed the “largest retail data breach in history” following an apparent breach at US chain Hot Topic.

In a new research report, the researchers said a threat actor alias ‘Satanic’ recently advertised the sale of a major database on the infamous Breached forum.

The archive belongs to three companies: Hot Topic, Box Lunch, and Torrid, all of which were founded by Hot Topic, and reportedly contains 350 million customers’ PII, including names, emails, addresses, phone numbers, and birthdates, along with billions of payment details, including the last 4 digits of customers’ credit cards, card types, hashed expiration dates, and account holder names, and billions of Hot Topic and Box Lunch loyalty points.

Snowflake and MFA

Drilling deeper, the researchers discovered that the breach originated from a computer belonging to a Robling employee. Robling is a company specializing in providing advanced data analytics and integration solutions for retail and multi-location businesses.

Apparently, the employee’s device was infected with malware in September 2024, which resulted in the theft of more than 240 credentials, including some apparently linked to cloud storage service providers, Snowflake. Those with better memory will remember a large incident this spring, when hundreds of Snowflake customers were hit with credential stuffing and brute-force attacks, leading to the theft of huge amounts of sensitive information.

In this case, the threat actor was free to access the Snowflake account and grab the information stored there. “Lastly, Satanic claimed, we emphasize, the hacker CLAIMED, that the breach originated from a lack of MFA on a Snowflake account along with “other links”,” Hudson Rock said.

Anyone interested in getting their hands on this database should be ready to pay the asking price of $20,000. Alternatively, Hot Topic can have the thread removed from the forums for $100,000.

Via The Register

More from TechRadar Pro

Hundreds of Snowflake customers may have been hit by breach that stole "significant" data
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.