Hot Topic Apparel Brand Faces Credential-Stuffing Attack

Due to the nature of the attack, Hot Topic says that it was unable to tell which accounts were accessed by legitimate users and which were accessed by threat actors, making the situation all the more difficult.

Dark Reading Staff, Dark Reading

August 2, 2023

2 Min Read
An image of the outside of the store "Hot Topic" inside of a mall.
Source: Helen via Alamy Stock Photo

Customers of American retailer Hot Topic are being notified about multiple "credential-stuffing" cyberattacks that resulted in cracked accounts and sensitive information being exposed to hackers, occurring between Feb. 7 and June 21.

According to a notice to customers, Hot Topic said that it identified suspicious login activity for multiple "Hot Topic Rewards" accounts. After undergoing an investigation, the company determined that automated attacks had been launched against their website as well as its mobile application on multiple different dates, using account credentials that Hot Topic was not the source of.

The type of personal information the unknown threat actors may have accessed are names, email addresses, order histories, phone numbers, mailing addresses, and birthdays. And if a Hot Topic rewards member had a payment card saved to their account, the threat actors would have also been able to see the last four digits of the card number.

Credential-stuffing attacks occur when cybercriminals run an automated script to attempt logins to accounts using lists of stolen user names and passwords purchased on the Dark Web. The attackers bank on users not changing their passwords regularly, or reusing the same password across multiple sites.  

"The recent Hot Topic data breach underscores two intertwined security challenges: compromised credentials, and distinguishing between normal and abnormal behavior," Tyler Farrar, CISO at Exabeam, wrote in an emailed statement. "Valid credentials ... provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins. Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards ... all contribute to a resilient defense against credential-based attacks."

Hot Topic asserted that it is taking the account breaches very seriously, working alongside cybersecurity experts and implementing new measures and steps to safeguard its website and mobile application from these types of automated credential-stuffing attacks. 

In the meantime, Hot Topic has emailed users with instructions to reset their credentials, encouraging them to use strong and unique passwords for its website to avoid future data breaches

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights