Data Breach: US Retailer Hot Topic Discloses Multiple Cyberattacks

Retail chain Hot Topic notified its customers that it was a victim of a series of credential-stuffing attacks. The wave of attacks which took place between February 7 to June 21,2023, resulted in the exposure of various sensitive information of customers.

Established in 1988, Hot Topic is an American retailer specializing in licensed music and counterculture-related apparels and accessories. With around 10,000 employees, the company operates both brick-and-mortar (600+ across the US) and online stores.

On August 1, the company notified its customers about the data breach incident wherein stolen account credentials was used to access its Rewards platform. The automated attack against both the website and mobile application was launched several times, earlier this year.

‘’Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on February 7, March 11, May 19-21, May 27-28, and June 18-21, 2023, using valid account credentials (e.g., email addresses and passwords),’’ the notification read.

The attack allowed the unknown hackers to potentially steal personal information of customers including their name, order history, phone number, email address, month and date of birth, and mailing address. The company also revealed that the last 4 digits of the card saved to the compromised account may have been accessed by the unauthorized parties as well.

Following the investigation into the incident, the retailer clarified that it was not the source of the utilized account credentials.

Hot Topic also stated that on discovering the incident, it had launched several containment measures including working with third-party cybersecurity experts. Various security measures were also deployed to safeguard the website and mobile application from automated ‘’credential-stuffing’’ attacks.

Moreover, Hot Topic disclosed that it was unable to differentiate between unauthorized and legitimate logins, so through emails it was notifying all Rewards customers about the incident. To avoid phishing attacks, the customers were also advised to change and choose a strong and unique password for their Rewards account.