Millions of Hot Topic customers were informed that their personal data had been compromised during a data breach at an American retailer in October.
Breach notification service Have I Been Pwned announced this week that it had alerted 57 million Hot Topic customers that their data had been breached.
Stolen data includes email addresses, physical addresses, phone numbers, purchases, gender, and date of birth. According to HIBP, the breach also included some credit card data, including credit card type, expiration date, and the last four digits of the card number.
Hot Topic, which has more than 640 stores across the U.S., has not yet confirmed the breach and did not respond to TechCrunch's multiple requests for comment.
According to HIBP, the breach occurred on October 19th and was claimed on October 21st by an attacker operating under the alias “Satanic.” In a post on the cybercrime forum BreachForums, Satanic claimed to have stolen 350 million user records from Hot Topic. and its associated brands Box Lunch and Torrid.
The hackers initially tried to sell the database for $20,000 and demanded a $100,000 ransom from Hot Topic to delete the information, according to a report by cybersecurity firm Hudson Rock.
In a BreachForums post seen by TechCrunch, Satanic is currently offering the database for $3,500.
The nature of the security incident that led to the breach is unknown. Hudson Rock reports that threat actors may have used credentials stolen via the Infostealer malware to steal credentials for an analytics platform used by Hot Topic to access the retailer's cloud environment. There is.
Hot Topic does not yet appear to have notified customers or the state attorney general's office about the data breach.