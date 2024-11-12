If you’re wondering whether your personal and financial data has been compromised in the massive Hot Topic breach, you can use two separate online tools to check: Have I Been Pwned? or DataBreach.com.

Which data was compromised?

News of a potential data breach affecting customers of popular US retailers Hot Topic, Torrid, and Box Lunch – all three owned by private equity firm Sycamore Partners – was first reported by Hudson Rock researchers on October 23, 2024.

They spotted a post on dark web marketplace BreachForums by prominent threat actor “Satanic” offering the stolen data to prospective buyers for $20,000. After analyzing the provided sample, they found that the database contains customers’ names, emails, physical addresses, phone numbers, and birth dates.

It also contains customers’ account number and some customers’ payment card information, including type, name on card, expiry month and year, and the last four digits of the card number. All information except the latter is scrambled, as seen in a screenshot made by the researchers:

Database with financial information (Source: Hudson Rock)

Arnaud de Saint Méloir, a software engineer and researcher at Atlas Privacy, told PC Mag that the financial information is “lightly encrypted” and will likely be quickly decrypted by those who buy the data.

On reddit, de Saint Méloir cleared up that statement: “[The company] used weak hashing, and bruteforce would be easy considering how few values there are. For example, expiry year and month are hashed individually, and litteraly have 12 possible values. The account numbers could also be enumerated quickly on consumer GPUs. I expect some threat actors will be able to decrypt it all in the next few weeks.”

According to Atlas Privacy’s DataBreach.com tool, the database contains email addresses of over 54 million customers, as well as credit card details of 25 million.

Hudson Rock posited that Satanic leveraged credentials stolen via infostealer malware from an employee of Robling, a retail analytics firm, to access Hot Topic and Torrid’s cloud environments on Snowflake (cloud-based data storage and analytics) on Azure and Looker on Google Cloud.

We’ve reached out to Hot Topic for a confirmation or a comment, but we have yet to receive a response.