Hot Topic hit by wave of cyber attacks

The series of attacks took place between February and June of this year

Add bookmark
Olivia Powell
Olivia Powell
08/02/2023

A Hot Topic storefront

Retail chain company, Hot Topic, has reported that it was the victim of a series of credential stuffing attacks.

Hot Topic alerted its customers to the cyber attack in a data breach notice filed on August 1. According to the brand, cyber attacks were discovered after “suspicious login activity” was registered on its rewards platform. Said attacks took place between February 7 and June 21, 2023, and may have allowed the malicious actors responsible to access sensitive customer information. 

The hackers gained unauthorized access to Hot Topic’s Rewards platform multiple times via stolen credentials. This allowed them to potentially steal customer information, including customer name,  mailing address, date of birth, phone number and order history. Partial payment card information (the last four digits of the payment card) may have been accessed if victims had their payment card details saved to their account.

Following an investigation into the data breach, Hot Topic was able to ascertain that legitimate credentials were used in the attack, but that these credentials were obtained from an “unknown third-party source”, and not Hot Topic itself.

Hot Topic assured customers that it has launched a further investigation into the cyber attacks, as well as taking "specific steps to safeguard [its] website and mobile application from automated ‘credential stuffing’ attacks" to prevent further cyber security incidents. 

Credential stuffing attacks see malicious actors use login information stolen during data breaches to gain access to other accounts belonging to victims. They do this by using automated systems to “stuff” the credentials into online sites with the hope that victims have resused passwords across multiple sites.  

If a password has been reused, this will allow them to access the account, meanong they are able to steal further data, including personal ID numbers, payment information or authorization controls and corporate data. This data can then be sold on to other malicious actors.  

Hot Topic urged customers to reset their account password, and to use a strong and unique password, as this can prevent crednetial stuffing attempts from being successful. 


RECOMMENDED