American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers’ personal information and partial payment data.

Hot Topic, Inc. is an American fast-fashion company specializing in counterculture-related clothing and accessories, as well as licensed music.

The company was the victim of credential stuffing attacks against its website and mobile application on November 18-19 and November 25, 2023. The attackers detected suspicious login activity to certain Hot Topic Rewards accounts.

Threat actors obtained valid account credentials obtained from an unknown third-party source.

Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

“We recently identified suspicious login activity to certain Hot Topic Rewards accounts. Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on November 18-19 and November 25, 2023 using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source. Hot Topic was not the source of the account credentials used in these attacks.” reads the notification sent to the potentially impacted customers.

The company informed customers that it could not confirm whether unauthorized third parties accessed any accounts or if the logins were legitimate customer access during the relevant periods. The company only observed that the account credentials of potentially impacted customers were used to log into their Rewards account.

“It’s important to note that we have not concluded any unauthorized access to your Hot Topic Rewards account. We’re sending you this notice as a precautionary measure.” continues the notification.

Threat actors may have accessed customers’ names, email addresses, order history, phone numbers, month and day of their births, and mailing addresses. If the potentially impacted customers had saved a payment card to their Rewards account, threat actors could have accessed the last four digits of the card number.

Hot Topic revealed that after detecting the suspicious activity, they launched an investigation with the help of outside cybersecurity experts. The company also announced the implementation of specific measures to improve the website and mobile application protection from credential stuffing attacks. The company also recommends changing the account password.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)