Retail chain Hot Topic hit by new credential stuffing attacks

Image: Midjourney

American retailer Hot Topic disclosed that two waves of credential stuffing attacks in November exposed affected customers' personal information and partial payment data.

The Hot Topic fast-fashion chain has over 10,000 employees in more than 630 store locations across the U.S. and Canada, the company's headquarters, and two distribution centers.

In credential stuffing attacks, cybercriminals use automated tools to trigger millions of login attempts using a list of username and password pairs. The technique is particularly effective when users reuse the same login information across multiple platforms.

Breach notification letters sent to potentially impacted customers this week reveal that attackers targeted Hot Topic Rewards accounts in automated attacks using login information obtained from an unknown source.

"We determined that unauthorized parties launched automated attacks against our website and mobile application on November 18-19 and November 25, 2023, using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source," Hot Topic said.

"Based on our investigation to date, we are not able to determine which, if any, accounts were accessed by unauthorized third parties as opposed to legitimate customer logins during the relevant time periods."

Sensitive information that could've been exposed on compromised accounts includes affected customers' names, email addresses, order histories, phone numbers, months and days of birth, and mailing addresses.

Hot Topic says that breached Rewards accounts would have only allowed the attackers to access partial payment data, specifically the last four digits of the card number.

The retail chain worked with external cybersecurity experts after the November attacks to deploy bot protection software that should block such attacks in the future.

Hot Topic will also require customers who receive the data breach notifications to set a new password to prevent other threat actors from hijacking their Hot Topic web or mobile accounts.

This notification comes after five other waves of credential attacks targeted Hot Topic customers last year on February 7, March 11, May 19-21, May 27-28, and June 18-21.