National Retailer Hit by Credential Stuffing Attacks

Hot Topic, a major retailer with 675 physical locations and an online presence boasting around 10 million monthly visitors, alerted its customers in early August to a data breach it experienced earlier in the year. This breach, stemming from multiple credential stuffing attacks on specific dates throughout 2023 (February 7, March 11, May 19-21, May 27-28, and June 18-21), may have jeopardized sensitive customer data.

Credential stuffing attacks involve cybercriminals deploying automated tools to access online services. They use large volumes of stolen credentials, often sourced from third parties. Once a user’s account is compromised, the attacker can retrieve profile data, make unauthorized purchases, or prep for subsequent attacks. Hot Topic clarified that they weren’t the origin of the account credentials used. However, affected customers might have had various pieces of personal data exposed, including names, email addresses, phone numbers, birthdates, mailing addresses, order histories, and the last four digits of stored credit card numbers.

The company became aware of the attacks upon identifying suspicious login activity to designated Hot Topic Reward accounts. While Hot Topic launched an immediate investigation into the attacks, the company said they could not discern whether a login during the time frames of the attacks were legitimate or unauthorized.

Hot Topic sent an email to all online account holders advising them to change their password. The email instructed them to use a strong password that was unique to Hot Topic rather than a password that has been used with other online accounts. The company also reported that they have sought the services of outside cybersecurity experts. Together, they have implemented a new strategy to safeguard their website and mobile applications from automated credential stuffing attacks, including a way to discern between legitimate logins and unauthorized ones.

Credential stuffing attacks have grown highly prevalent over the years as cybercriminals continue to harvest, sell, and trade the credentials of accounts seized in prior data breaches. The good news is that there are some proven measures that can be implemented to protect against this growing threat.
Users should just assume that one or more of their online accounts will be compromised at some point. Thus, they should take the responsibility to not reuse the same password for multiple accounts. By using a distinct password for each online account, they will be resilient to the ramifications of having their account compromised on one of their sites.

Organizations that provide goods or services to online users can take these basic measures to boost their resilience to such attacks.

• Multifactor Authentication (MFA): This involves users verifying their identities using at least two different methods, such as a password (something they know), a phone or authenticator app (something they possess), or biometric data like a fingerprint (something they are).Another option that requires less involvement for the user is a CAPTCHA challenge on login pages that requires the user to click on various pictures or input a series of alphanumeric characters.
• Rate Limiting: By restricting the number of login attempts from a specific IP address within a given time frame, you can hinder or even stop automated login attacks.
• Geofencing: Consider blocking login attempts from regions where your users aren’t located. For instance, a U.S.-based retailer might block logins originating from distant countries.
• Unique Usernames: Encourage the use of usernames distinct from email addresses. This reduces the chances of your accounts getting compromised due to breaches on other platforms.
• Continual Monitoring: Excessive monitoring attempts over a short period should be monitored as these attempts can be indicative of an attack. Periodic reviews of account activity for signs of unauthorized access should be conducted and old accounts should be removed.