Hot Topic chain reports credential-stuffing attacks

Hot Topic, an American retail chain specializing in clothing and accessories, disclosed a series of cyberattacks that occurred between February 7 and June 21. Hackers utilized stolen account credentials to access the Hot Topic Rewards platform multiple times, potentially exposing sensitive information of its customers.

Credential stuffing is a type of cyberattack where threat actors use the same stolen username and password pairs on various online services, hoping to gain unauthorized access. Hot Topic stated that it could not differentiate between unauthorized and legitimate logins during the attacks, leading to the decision to notify all customers whose accounts were accessed.

As part of its data breach notification, Hot Topic revealed that the attackers launched automated attacks against its website and mobile application on several occasions using valid account credentials obtained from an unknown third-party source.

The potentially exposed information includes

• customers' full names,
• email addresses,
• order history,
• phone numbers,
• dates of birth,
• shipping addresses,
• the last four digits of saved payment cards.

The number of affected individuals is not disclosed.

While Hot Topic has not yet confirmed any malicious access or data exfiltration, it is taking precautionary measures and notifying affected customers.

Although Hot Topic confirmed that it was not the source of the compromised credentials, it was unable to identify the origin of the breach. In response to the cyberattacks, the company implemented specific security measures to protect its website and mobile application from future credential-stuffing attacks.

As part of the security response, Hot Topic is sending emails to impacted customers, providing instructions on how to reset their account passwords. Additionally, the company is advising customers to choose strong and unique passwords, and if they use the same credentials on other platforms, it is wise to reset them as well.