Security News > 2024 > March > Retail chain Hot Topic hit by new credential stuffing attacks
American retailer Hot Topic disclosed that two waves of credential stuffing attacks in November exposed affected customers' personal information and partial payment data.
The Hot Topic fast-fashion chain has over 10,000 employees in more than 630 store locations across the U.S. and Canada, the company's headquarters, and two distribution centers.
Breach notification letters sent to potentially impacted customers this week reveal that attackers targeted Hot Topic Rewards accounts in automated attacks using login information obtained from an unknown source.
The retail chain worked with external cybersecurity experts after the November attacks to deploy bot protection software that should block such attacks in the future.
Hot Topic will also require customers who receive the data breach notifications to set a new password to prevent other threat actors from hijacking their Hot Topic web or mobile accounts.
This notification comes after five other waves of credential attacks targeted Hot Topic customers last year on February 7, March 11, May 19-21, May 27-28, and June 18-21.
News URL
Related news
- How New AI Agents Will Transform Credential Stuffing Attacks (source)
- Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials (source)
- Australian pension funds hit by wave of credential stuffing attacks (source)
- CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download (source)