A cybersecurity vendor claimed last month that a hacker stole data from the fashion retailer Hot Topic, including the personal information of millions of customers. At that time, there was no confirmation from the retailer itself. However, a breach notification site has now confirmed that the personal data of 56,904,909 users was found online and leaked from customers of Hot Topic, Torrid, and Box Lunch. This data includes email addresses, physical addresses, phone numbers, purchase history, genders, and dates of birth. Partial credit card data was also included in the breach.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What you need to know
The breach notification service Have I Been Pwned (HIBP) announced this week that it alerted 56 million Hot Topic customers about a data breach compromising their personal information. While Hot Topic, which operates more than 640 stores across the U.S., has yet to confirm the breach, HIBP reported that it occurred on October 19. Just two days later, a threat actor using the alias “Satanic” claimed responsibility.
Satanic alleges that the database contains details on 350 million users, though that number seems inflated. The leaked data does, however, include names, email addresses, physical addresses, and dates of birth—all information collected through Hot Topic’s loyalty program. The hacker is offering the database for $20,000 and demanding that Hot Topic pay $100,000 to prevent its sale.
Hudson Rock, an Israeli cybersecurity firm, initially reported the breach and considers it credible. The firm traced the issue back to a malware infection on an employee’s computer at Robling, a third-party retail analytics firm. Hudson Rock, which operates the cyber intelligence platform Cavalier to monitor compromised devices, discovered the infection and flagged it for clients.
It’s likely that the threat actor used credentials stolen by info stealer malware to gain access to an analytics platform used by Hot Topic, potentially allowing them to infiltrate the retailer’s cloud environments.
WINDOWS FLAW LETS HACKERS SNEAK INTO YOUR PC OVER WI-FI
Hot Topic’s silence after the breach is suspicious
Evidence of a data breach at Hot Topic keeps piling up, but the company hasn’t said a word yet. Customers and state attorneys general haven’t been notified, either. Hot Topic’s silence could mean a few things, especially with such a big breach. They might still be investigating, working with cybersecurity experts to confirm what happened and figure out the extent of the damage. Sometimes, companies stay quiet, hoping to delay or dodge bad press. But this strategy can backfire, leading to more scrutiny and skepticism.
We reached out to Hot Topic to request a comment on our story but did not hear back before our deadline.
CYBER SCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS
5 ways you can stay safe in the event of a data breach
1) Keep a strong password: With the Hot Topic data breach exposing sensitive information, it’s essential to update your passwords. Use a strong, unique password for each account, especially for services where your personal details are stored. A mix of letters, numbers, and symbols will make it harder for hackers to guess. Consider using a password manager to keep everything secure and easily accessible.
2) Beware of suspicious links: After a breach, phishing attempts increase, and hackers may use your leaked email to send fake links or emails. Never click on suspicious links, especially those that ask for personal information. Always double-check the sender’s email and look out for strange language or urgent requests. If in doubt, go directly to the website instead of following the links in the message.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
3) Invest in a data removal service: Since your personal information could be floating around on the dark web or public databases, it’s a good idea to invest in a data removal service. A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
4) Watch out for the risk of identity theft: The leaked data includes sensitive details like addresses, birthdays, and purchase histories, which could be used for identity theft. Be extra cautious when sharing personal information moving forward, and if you notice anything unusual, report it immediately. If you are a Hot Topic customer, you might also want to consider an identity theft monitoring service.
My top recommendation is Identity Guard. One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
Exclusive CyberGuy deal: 66% off Ultra Annual Plans: Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
5) Monitor your accounts regularly: Keep an eye on your bank accounts, credit card statements, and even loyalty programs where your information is stored. Set up alerts for transactions and logins so you can act fast if anything seems off. Regular monitoring can help you catch fraudulent activity early, minimizing the damage if your data is misused.
DON’T LET SNOOPS NEARBY LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP
Kurt’s key takeaway
The Hot Topic data breach is alarming, especially since it affects over 56 million people. What makes the situation even more concerning is that Hot Topic has stayed silent about it. The company hasn’t notified those affected, leaving many unprepared for potential cybersecurity threats. Hackers could use this gap to target victims with scams, leading to financial losses. This situation is a strong reminder of the importance of maintaining good cybersecurity hygiene—whether you’re impacted by a breach or not.
Should companies be forced to compensate customers whose data has been exposed instead of just staying silent? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
3 comments