Hot Topic chain reports new credential stuffing attacks

Hot Topic, an American retail chain specializing in fast fashion, is reporting two separate waves of credential stuffing attacks in November, which compromised the personal and partial payment information of its customers.

The company fell victim to cybercriminals who used automated tools to execute millions of login attempts. These attempts utilized username and password pairs previously obtained from an unspecified external source, making it difficult for Hot Topic to discern between unauthorized and legitimate account access. The attacks took place on November 18-19 and November 25, 2023.

Hot Topic has engaged external cybersecurity experts to implement bot protection software aimed at preventing future attacks. The exposed data through this attack includes customers:

• names,
• email addresses,
• order histories,
• phone numbers,
• dates of birth (excluding year),
• mailing addresses.
• the last four digits of payment card numbers.

The number of affected individuals is not disclosed.

Customers affected by these breaches were notified through letters this week and are being instructed to reset their passwords to safeguard against potential account hijacking.

These November incidents are part of a series of credential stuffing attacks against Hot Topic.