This audio is automatically generated. Please let us know if you have back.
US retail chain Hot Topic was hit by 12 days of breaches, spread across five waves of attacks in the first half of this year, and it is still assessing the damage.
The series of breaches that occurred between February 7 and June 21 were the result of automated credential stuffing attacks against the company’s website and mobile app, Hot Topic said in a statement. data breach notification filed Monday in California.
A malicious actor obtained valid credentials for Hot Topic Rewards accounts from an unknown third party. “Hot Topic is not the source of the account credentials used in these attacks,” the company said in the disclosure.
Hot Topic does not yet know what personal information was compromised or accessed by the threat actor. It therefore informs all customers whose account was consulted when the attacks were in progress.
“Based on our investigation to date, we are unable to determine which accounts were accessed by unauthorized third parties, as opposed to legitimate customer logins during the affected periods,” the company said.
The company did not respond to voicemail or email requests for additional information. Private equity firm Sycamore Partners, which acquired Hot Topic for $600 million in 2013also did not respond to inquiries.
The breach “highlights two closely related security challenges: compromised credentials and distinguishing between normal and abnormal behavior,” Tyler Farrar, chief information security officer at Exabeam, said via email.
“Valid credentials, obtained through previous data leaks or breaches, provide bad actors with potential access to sensitive data,” Farrar said. “Such violations are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate connections, leading to a blanket notification process that may encompass unaffected consumers. »
Customer accounts accessed by the threat actor may have exposed personally identifiable information, including names, email addresses, order history, phone numbers, birthdays, street addresses, and the last four digits credit or debit cards.
“Hot Topic takes this event very seriously,” the company said in the filing. “After detecting suspicious activity, we quickly initiated an investigation and took steps to remediate the activity.”
The company has worked with cybersecurity experts and said it has strengthened the defense of its website and mobile app with bot protection software, while evaluating additional protection measures. Potentially affected customers are strongly encouraged to reset their password.
Hot Topic has more than 600 stores located in malls and shopping centers across the United States and Canada.