A massive database, allegedly containing 350 million Hot Topic customers’ personal and payment data, appeared for sale on an illicit forum, the Israeli cybersecurity firm Hudson Rock has discovered.
On October 21st, a threat actor under the moniker Satanic posted the data of 350 million shoppers for sale. It claims that the database includes personal information, such as names, email and physical addresses, birth date, gender, rewards, transactions, cards, invoices, and others.
Hudson Rock researchers, who analyzed the provided data sample, attributed the database to three major retail companies : Hot Topic, Torrid, and Box Lunch. All three companies are founded by the US fast-fashion company Hot Topic.
Hot Topic disclosed multiple cyberattacks in 2024 and 2023, however, it is not yet clear if this database is related, as it seemingly was obtained later.
If confirmed, this incident could be the “largest retail breach in history,” Hudson Rock researchers said.
“We’re talking about A LOT of data,” the researchers write.
According to the threat actors, the database includes billions of payment details, including the last four digits of customers’ credit cards, card types, hashed expiration dates, and account holder names. It also contains billions of loyalty points, tied to Hot Topic & Box Lunch and linked to profile identifiers.
“These points could be used by threat actors for account takeovers, especially since many of the points do not expire, as seen in the database,” Hudson Rock warns. “The stolen data from this breach – including personal information, payment details, and loyalty points – can be exploited by hackers for identity theft, financial fraud, and account takeovers.”
The breach may be caused by an infostealer infection. A Hudson Rock investigation revealed that a third-party vendor employee was compromised on September 12th, 2024. The employee had over 240 credentials on the machine, many of which were corporate.
“Researchers identified dozens of credentials associated with corporate URLs related to Hot Topic and Torrid’s environment on Snowflake and Looker (Google Cloud),” the report reads.
“The browsing history of the employee was full of similar references.”
They even contacted the threat actor Satanic, asking for more details, and the hacker provided a matching username. Researchers identified it “was primarily associated with Snowflake-related URLs for Hot Topic and Torrid, along with corresponding credentials.”
According to the quoted cybercriminal, the “breach originated from a lack of MFA on a Snowflake account along with ‘other links.’”
While the provided data sample appears to align with the claims, many uncertainties remain. Hudson Rock strongly believes that the information is likely to be true. Satanic has a reputation for large-scale breaches and operates an infostealer log selling service.
Cybernews has reached out to Hot Topic for a comment but has yet to receive its response.
The hackers were looking to sell 680 GB of data for $20,000, or alternatively want $100,000 from Hot Topic to remove the thread. At the time of writing the price decreased to $10,000.
Your email address will not be published. Required fields are markedmarked