Cyberattack strikes Hot Topic retail chain again


The US fast-fashion company has been hit by credential-stuffing attack for the 7th time in a year, with clients’ data being stolen.

In a notice to affected clients, the company stated that “unauthorized parties launched an automated attack” against the company’s website and mobile application.

The company’s investigation determined that the attacks happened on November 18-19th and November 25th, 2023, using “valid account credentials obtained from an unknown third-party source.”

ADVERTISEMENT

The credentials used in the attacks were likely sourced from other data breaches. In a credential-stuffing attack, threat actors gather credentials that were exposed in data breaches and use them to log into other websites. Cybernews recommends using a data leak checker to check whether your credentials have been compromised in the past.

The company has no information on which accounts might have been accessed by the threat actors. The data that could have been compromised includes:

  • Names
  • Email addresses
  • Order history
  • Phone numbers
  • Months and days of birth
  • Mailing addresses

If users have saved a payment card to the retailer’s account, the threat actors may have accessed the last four digits of the card number.

To safeguard their systems, the company claims to have deployed bot protection software designed to stop credential stuffing attacks in the future.

This is the 7th time that cybercriminals have targeted the retail chain. In 2023, the company experienced multiple automated attacks. Threat actors struck on February 7th, March 11th, May 19-21st, May 27-28th, and June 18-21st, 2023. The attacks resulted in user data being compromised.

Hot Topic is not the only victim of credential-stuffing attacks. Just this month, US streaming company Roku disclosed a data breach that impacted more than 15,000 customers. Thousands of users were then locked out of their account, allowing threat actors to make purchases using stored credit card information, with users actually receiving order confirmation emails.

To stay safe, it’s advisable to use unique, strong passwords and change them often. To create a strong password automatically, you can use a password generator.

ADVERTISEMENT