Hot Topic’s Approximately 57 Million Breached Accounts Added to HIBP

• The massive Hot Topic data breach discovered in October ended up on the data breach notification service Have I Been Pwned.
• Approximately 57 million unique email addresses and the associated sensitive data were compromised.
• These include partial payment card details and personally identifiable information.

The popular fashion retailer Hot Topic suffered a data breach on October 19 that exposed approximately 57 million unique email addresses. The impacted data also included sensitive personal details and payment card data.

The security incident compromised the data of 56,904,909 unique customer emails, including names, physical addresses, phone numbers, purchases, genders, dates of birth,  purchases, salutations, and partial credit data containing card type, expiry, and last four digits. The emails have been added by the data breach notification service Have I Been Pwned.

The significant Hot Topic data breach surfaced soon after when a cybercriminal operating under the moniker 'Satanic' claimed to have compromised the personal information of approximately 350 million customers via an infostealer infection. 

Security experts believed the breach possibly originated from an employee at retail analytics company Robling, as a malware infection that spread in September enabled unauthorized access to sensitive information, including 240 credentials.

The hacker, whose reputation as a data thief is acknowledged within cybercrime circles, was selling the dataset for $20,000, a relatively low asking price, and reportedly offered Hot Topic a $100,000 settlement to withdraw the sale listing.

Despite the extensive scope of the data theft, the immediate impact is considered limited. The information stolen lacks complete financial details, reducing its value for malicious exploitation. However, the potential for phishing attacks targeting Hot Topic customers remains a concern.

In June, luxury retailer Neiman Marcus acknowledged a May security incident that exposed sensitive customer details, including names, addresses, phone numbers, and more. The company confirmed that the data breach was connected to its Snowflake account.