The U.S. retail chain Hot Topic was hit by 12 days of breaches, spread across five waves of attacks during the first half of this year, and it’s still surveying the damage.
The series of breaches that occurred between Feb. 7 and June 21 were the result of automated credential stuffing attacks against the company’s website and mobile application, Hot Topic said in a data breach notification filed Monday in California.
A threat actor obtained the valid account credentials for Hot Topic Rewards accounts from an unknown third party. “Hot Topic was not the source of the account credentials used in these attacks,” the company said in the disclosure.
Hot Topic doesn’t yet know what personal information was compromised or accessed by the threat actor, so it’s notifying every customer whose account was accessed when the attacks were underway.
“Based on our investigation to date, we are not able to determine which accounts were accessed by unauthorized third parties as opposed to legitimate customer logins during the relevant time periods,” the company said.
The company did not respond to voicemail or email requests for additional information. Private equity firm Sycamore Partners, which acquired Hot Topic for $600 million in 2013, also did not respond to inquiries.
The breach “underscores two intertwined security challenges —compromised credentials and distinguishing between normal and abnormal behavior,” Exabeam Chief Information Security Officer Tyler Farrar said via email.
“Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data,” Farrar said. “Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins, leading to a widespread notification process that may encompass unaffected consumers.”
Customer accounts that were accessed by the threat actor may have exposed personal identifiable information, including names, email addresses, order history, phone numbers, birthdays, mailing addresses and the last four digits of credit or debit cards.
“Hot Topic takes this event very seriously,” the company said in the filing. “After detecting suspicious activity, we promptly began an investigation and took action to address the activity.”
The company has engaged with cybersecurity experts and said it bolstered the defense of its website and mobile application with bot protection software as it evaluates additional protective measures. Potentially impacted customers are strongly encouraged to reset their passwords.
Hot Topic has more than 600 stores situated in malls and shopping centers across the U.S. and Canada.