Hot Topic Has Been Pwned In A Credential Stuffing Attack

American retailer Hot Topic reports being hit by repeated credential stuffing attacks that used valid credentials. The attacks were automated and repeated over a four-month period. “Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on February 7, March 11, May 19-21, May 27-28, and June 18-21, 2023, using valid account credentials obtained from an unknown third-party source.”

Hot Topic is an American retail chain specializing in counterculture-related clothing and accessories, as well as licensed music. With 690 stores across the US, 10,000 associates and millions of online and instore customers, the exposed threat landscape is huge.

In the breach notification the company explained that hackers used customers stolen account credentials and to access their Rewards accounts multiple times. The company said they were not the source of the stolen credentials and still have no idea where the credentials came from.

The company did say that they have taken “specific steps to safeguard our website and mobile application from” credential-stuffing attacks. Because the company was unable to discern between unauthorized and legitimate logins, they would be notifying all customers that had their accounts accessed during the cyberattacks of potential abuse of their credentials.

The information possibly exposed includes:

  • Full name
  • Email address
  • Order history
  • Phone number
  • Date of birth
  • Shipping address
  • Last four last digits of saved payment cards

Ted Miracco, CEO, Approov Mobile Security had this comment:  

“Mobile apps for retailers must take the same specific steps to safeguard their website as fintech and healthcare companies, as they are also in possession of valuable client data and vulnerable to automated “credential stuffing” attacks. This includes deploying bot protection software designed to stop such attacks.  

“While Hot Topic stated that they have been working with outside cybersecurity experts, it is not clear why they did not implement mobile app attestation specifically? Mobile app attestation is a very inexpensive security measure that ensures only authentic apps access a backend service, stopping bots, and tampered or repackaged apps. This is an attack where known solutions existed, and it is inexcusable that more precautions were not taken by the management team at Hot Topic.”

Carol Volk, EVP, BullWall follows up with this:  

“Retailers are in a tough spot when it comes to preventing credential stuffing attacks. For starters, as we see here, there is no such thing as a “strong password”, because hackers are not trying to guess our passwords, but leveraging stolen passwords. Whether your password is ‘1234’ or an 18 character string with numbers and symbols, the bad guys already have it. The best way to safeguard against the use of compromised credentials is to require MFA. Unfortunately, retailers know that customers will not tolerate the friction of MFA just to order a t-shirt, a pizza or a movie ticket, so we remain at risk.”

Emily Phelps, Director, Cyware:  

Strong security hygiene is critical to defend against credential stuffing. Consider the following recommendations:

  1. Use multifactor authentication (MFA) whenever available, to enable added layers of security.
  2. Strong passwords or passphrases that are long enough to make it difficult for an adversary’s tools to figure out.
  3. Use a password manager with encryption to safely store and maintain unique, long passwords.
  4. Limit the number of login attempts from a single IP address within a specified time frame.
  5. Adopt AI/ML technologies that are designed to recognize and block credential stuffing attempts by identifying abnormal behavior patterns.
  6. Consider biometric alternatives.

Hopefully there’s accounting of what was actually exposed rather than what was potentially exposed. And that accounting happens soon. That way victims of this hack can take the required steps to protect themselves.

Leave a Reply

%d bloggers like this: