Millions of customers of Hot Topic have been informed that their personal data was compromised during an October data breach at the American retailer.
Have I Been Pwned, the breach notification service, said this week that it alerted 57 million Hot Topic customers that their data had been compromised.
The stolen data includes email addresses, physical addresses, phone numbers, purchases, genders, and dates of birth. Partial credit card data was also included in the breach, according to HIBP, including credit card type, expiry dates and the last four digits of the card number.
Hot Topic, which has more than 640 stores across the U.S., has not yet confirmed the breach and did not respond to TechCrunch’s multiple requests for comment.
The breach occurred on October 19, according to HIBP, and was claimed by a threat actor operating under the alias “Satanic” on October 21. In a post on the cybercrime forum BreachForums, Satanic claimed to have stolen 350 million user records from Hot Topic and its affiliated brands, Box Lunch and Torrid.
The hacker initially attempted to sell the database for $20,000 and demanded a $100,000 ransom from Hot Topic to take down the information, according to a report by cybersecurity firm Hudson Rock.
In the post on BreachForums, seen by TechCrunch, Satanic is now offering the database for $3,500.
The nature of the security incident that led to the breach is unknown. According to a report from Hudson Rock, the threat actor may have leveraged credentials stolen via infostealer malware to steal credentials for an analytics platform used by Hot Topic to access the retailer’s cloud environments.
It doesn’t appear that Hot Topic has yet notified customers or state offices of attorneys general about the data breach.
