Hacker typing on laptop showing data breach of retail customers data

Hot Topic Data Breach Impacts 57 Million Retail Customers

Hot Topic has suffered a data breach affecting 57 million retail customers stemming from a compromised cloud account without multi-factor authentication (MFA).

Hot Topic is a North American counter-culture fashion chain popular with younger demographics. It operates over 640 locations in various malls across the United States and Canada.

While Hot Topic has yet to acknowledge the data breach and notify customers, various sources have corroborated the threat actor’s claims.

Hot Topic data breach leaks sensitive retail customers’ PII

The data breach became public knowledge on October 21 when a threat actor “Satanic” attempted to sell stolen 350 million customer records on BreachForums for $20,000.

Additionally, the attacker tried to extort $100,000 from the company to prevent the public release of the stolen retail customers’ data.

Seemingly, after their prospects of receiving a ransom or striking a good deal dwindled, the threat actor is now selling the stolen data for about $4,000.

Meanwhile, the Hot Topic data breach leaked retail customers’ names, addresses, phone numbers, email addresses, dates of birth, last four credit card numbers, hashed expiration date, holder’s name, and other details.

Similarly, Hot Topic & Box Lunch account loyalty information, including profile ID, transaction ID, loyalty points, and expiry dates were exposed during the incident. The stolen personal information is a goldmine for cybercriminals to carry out targeted phishing attacks and identity theft.

According to Troy Hunt’s data breach aggregation website Have I Been Pwned (HIBP), the security incident impacted 56,904,909 Hot Topic, Box Lunch, and Torrid retail customers. HIBP has notified affected individuals to prevent them from falling victim to targeted cyber attacks. However, Hot Topic has yet to notify impacted retail customers.

Similarly, Atlas Privacy found that the 730 GB of stolen data contained 54 million email addresses and weakly encrypted credit card information and names and phone numbers of 25 million retail customers.

Threat intelligence firm Hudson Rock also found that the data breach involved infostealer malware that infected an employee’s computer belonging to a company that helps retailers aggregate data. Hudson Rock estimated that the credential harvesting attack occurred around September 12, 2024.

Infostealers are notorious for extracting saved passwords, security tokens, and session cookies from browsers, operating systems, and applications for authentication on compromised accounts and even bypassing two-factor authentication. Infostealers can also record keystrokes in real time and extract passwords as users type.

Breached via cloud account without MFA

The threat actor said they used the harvested login credentials to breach a Snowflake Cloud account without multi-factor authentication (MFA).

In November 2024, Google Cloud announced it would enforce multifactor authentication by the end of 2025, given the sensitive nature of cloud deployments and the increased prevalence of phishing and stolen credentials.

Twice within a year, Hot Topic has suffered two cybersecurity incidents related to compromised credentials. Between November 18 and November 25, 2023, the fashion retailer suffered a credential stuffing attack that prompted the company to force password resets.

Satanic remains a relatively new threat actor without enough street cred to claim authoritativeness. While every data breach claim should be taken with a grain of salt, no evidence suggests that the attacker exaggerated the claims.