Have I Been Pwned warns that an alleged knowledge breach uncovered the private info of 56,904,909 Scorching Subject, Field Lunch and Torrid buyer accounts.
Scorching Subject is an American retail chain specializing in licensed counterculture-related clothes, equipment, and music merchandise. The corporate operates greater than 640 shops in america and Canada, primarily situated in purchasing facilities, and has a broad buyer base.
In accordance HIBPThe uncovered particulars embrace full names, e-mail addresses, dates of delivery, cellphone numbers, bodily addresses, buy historical past and partial bank card knowledge of Scorching Subject, Field Lunch and Torrid clients.
The safety incident was initially claimed on BreachForums by a menace actor named “Satanic” on October 21, 2024. The menace actor claimed to have stolen 350 million person data from Scorching Subject and its associated manufacturers, Field Lunch and Torrid .
“Satanic” was trying to promote the database for $20,000 and on the identical time demanded a ransom fee of $100,000 from Scorching Subject to take away the itemizing from the boards.
On the time, BleepingComputer contacted Scorching Subject to inquire in regards to the authenticity of the info, however didn’t obtain a response.
a report of HudsonRock printed on October 23 steered that the breach could have originated from an information-stealing malware an infection that stole credentials for an information unification service utilized by Scorching Subject.
Whereas Scorching Subject remained silent and no notifications have been despatched to probably affected clients, knowledge analytics agency Atlas Privateness reported final week that the 730 GB database really impacts 54 million clients.
Moreover, Atlas clarified that the info set incorporates 25 million bank card numbers encrypted with a weak encryption that’s simple to decrypt with fashionable computer systems.
Though Atlas is not 100% certain the database belongs to Scorching Subject, he famous that almost half of all e-mail addresses have been unseen in earlier breaches, additional supporting the legitimacy of the actor’s claims. the menace.
Altas says the breach seems to have occurred on October 19 and that the info spans from 2011 to that date.
the agency has arrange a website which permits Scorching Subject clients to test if their e-mail tackle or cellphone quantity is uncovered within the knowledge breach.
In the meantime, the menace actor continues to promote the database, albeit at a lower cost of $4,000.
Probably affected Scorching Subject clients ought to stay vigilant for phishing assaults, carefully monitor their monetary accounts for suspicious exercise, and alter their passwords on all platforms the place they use the identical credentials.
BleepingComputer has contacted Scorching Subject once more for remark, however we now have not acquired a response on the time of publication.
