Millions of Hot Topic Customers Affected by Massive Data Breach
Cybersecurity firm Hudson Rock and investigation site “Have I Been Pwned” (HIBP) recently reported on a data breach that exposed the personally identifiable information (PII) of at least 56,904,909 customers of Hot Topic and its subsidiaries. The leaked information reportedly includes credit card numbers, customer names, and home addresses.
Back in October of this year, an actor known as “Satanic” posted a threat on the black-hat hacking forum “Breach Forums” looking to sell databases associated with Hot Topic and its subsidiaries, Torrid and BoxLunch. Satanic offered to sell the data for $20,000 to interested parties or demanded $100,000 from Hot Topic to remove the thread. In recent updates, the asking price for general buyers has gotten as low as $3,500.
As reported by Hudson Rock, the data breach is likely the result of an employee at Robling – a retail analytics company – falling victim to an “infostealer” malware attack. Infostealer malware can record cookies, login credentials, and even keystrokes from affected systems.
Using the malware, Satanic was allegedly able to access the employee’s login credentials for the breached databases. The hacker (or hackers) also claimed that they could perform the breach because of a lack of additional security features, such as two-factor authentication.
The number reported by HIBP and media outlets like Forbes and TechCrunch places the affected customers at around 57 million. However, the original report by Hudson Rock and two lawsuits filed by affected parties since knowledge of the leak became public estimate the number of affected customers at around 350 million.
If authorities confirm the latter number, this breach would be one of the largest retail data breaches in history, coming directly after a record year for data breaches and exposures.
Atlas Privacy recently obtained a copy of the leaked database and offers a tool for users to check if the breach exposed their personal information.