At a glance.
- American shopping mall mainstay hit with data breach.
- Data security incident at Tennessee healthcare organization.
American shopping mall mainstay hit with data breach.
Hot Topic, American retailer of rock- and video game-themed apparel and accessories, experienced a series of cyberattacks between February and June 2023. The company’s investigation revealed that the attackers used stolen account credentials to access the Hot Topic Rewards program platform. As Bleeping Computer reports, it’s unclear how the hackers got their hands on the account credentials, but the company has determined they were not obtained from Hot Topic directly, indicating a third-party leak was likely involved. The potentially compromised data includes customer names, email addresses, phone numbers, dates of birth, order histories, shipping addresses, and the last four digits of payment card numbers. There is no evidence yet that the data were exfiltrated. Hot Topic has sent emails to impacted customers alerting them to the breach and urging them to change their passwords.
Erich Kron, Security Awareness Advocate at KnowBe4, points out that password reuse is what makes credential-stuffing attacks effective. "The power behind credential stuffing attacks comes from the fact that people regularly reuse passwords across multiple platforms and websites. Once a bad actor is able to get a person to give up their username and password in a fake login page, or are able to get the information from a previous breach, often sold as part of a large list of known usernames and passwords, they are able to use low cost or even free tools to automatically try to use these credentials on other websites. Only for the targeted website, it can be very difficult to determine if a login is legitimate or part of a credential stuffing attack, especially if it is a busy website to begin with," he wrote. "Because it's difficult for targeted websites to stop this, it's critical that people take steps to avoid being caught up in one of these attacks. Using tools such as a password manager can help people generate and store complex, and most importantly, unique passwords for the websites they use. Multi-Factor Authentication (MFA) can also be very helpful in the defense against these attacks, because the bad actors need an additional piece of information besides the username and password to complete the login."
Tyler Farrar, CISO at Exabeam, points out that there are two challenges here—compromised credentials and the ability to detect abnormal behavior in a network:
“The recent Hot Topic data breach underscores two intertwined security challenges: compromised credentials and distinguishing between normal and abnormal behavior. Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins, leading to a widespread notification process that may encompass unaffected consumers.
"Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards, such as multi-factor authentication, all contribute to a resilient defense against credential-based attacks.
"Most importantly, organizations should establish a clear behavioral baseline for users and devices on their network. Understanding “normal” behavior allows for the identification of deviations that may signify compromised credentials. This approach facilitates faster detection and response to breaches, protecting organizations and their people from potential harm. Remember - you ought to know your network and your people better than the attackers.”
There's also an issue of user self-protection here. Jason Kent, Hacker in Residence at Cequence Security, wrote, "This credential-stuffing attack highlights how organizations that haven’t been hit by this type of attack before can overlook the potential risk and cite that it’s an end user’s responsibility to use more secure credentials. To improve security posture and prevent the risks of credential-stuffing attacks, organizations should keep in mind the four pillars of direction – credentials, tools, infrastructure and behavior. Focusing on these key pillars can help organizations create applications that are less susceptible to automated attacks." He added, "Proper credentials encourage users to create unique identities for services, avoid easily guessable emails as usernames and never allow validating accounts without passwords. Proactively assessing and understanding attack tools is another essential step to remain vigilant as attackers adapt. Organizations should also be aware of users' computing environments, ensuring legitimate users are prioritized while securing the application from malicious connections. Lastly analyzing design application behavior to inform users without aiding attackers, avoids exposing sensitive information in error messages, and provides generic messages for failed actions while allowing support teams to monitor more detailed information if needed."
Ted Miracco, CEO of Approov Mobile Security, sees a particular challenge (and responsibility) for those who develop and provide mobile apps. "Mobile apps for retailers must take the same specific steps to safeguard their website as fintech and healthcare companies, as they are also in possession of valuable client data and vulnerable to automated 'credential stuffing' attacks. This includes deploying bot protection software designed to stop such attacks. While Hot Topic stated that they have been working with outside cybersecurity experts, it is not clear why they did not implement mobile app attestation specifically? Mobile app attestation is a very inexpensive security measure that ensures only authentic apps access a backend service, stopping bots, and tampered or repackaged apps. This is an attack where known solutions existed, and it is inexcusable that more precautions were not taken by the management team at Hot Topic.”
And Carol Volk, EVP at BullWall, commented on this incident as well. “Retailers are in a tough spot when it comes to preventing credential stuffing attacks. For starters, as we see here, there is no such thing as a "strong password", because hackers are not trying to guess our passwords, but leveraging stolen passwords. Whether your password is '1234' or an 18-character string with numbers and symbols, the bad guys already have it. The best way to safeguard against the use of compromised credentials is to require MFA. Unfortunately, retailers know that customers will not tolerate the friction of MFA just to order a t-shirt, a pizza or a movie ticket, so we remain at risk.”
Data security incident at Tennessee healthcare organization.
US cardiac care center the Chattanooga Heart Institute has disclosed it suffered a cybersecurity attack on its IT network. An unauthorized party infiltrated the system in two separate occasions in March 2023, and the organization detected the intrusions in April. The attacker accessed confidential patient information including but not limited to names, mailing addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, health insurance information, and information pertaining to diagnoses, lab results, and medications. However, the disclosure notes, the intruder did not retrieve data directly from The Chattanooga Heart Institute’s Electronic Medical Record. Impacted individuals will be notified in the coming weeks by mail and will be given access to Equifax identity monitoring services. A forensic investigation is underway and impacted systems have been secured and returned to the network with heightened monitoring tools.
Carol Volk, EVP at BullWall, draws a lesson about the indispensability of planning for response and remediation. “Attackers will always find a way into the network," she said. "There is no set of preventative security tools that can prevent 100% of the attacks. While a strict defensive approach is worthwhile and critical, organizations would be wise to shift some of their effort to containing attacks once the perimeter has been breached. Encryption and exfiltration activities can be spotted and stopped, preventing a bad day from becoming a horrible day. A full cyber defense stack must prepare for this.”