Have I Been Pwned has issued a warning regarding a purported data breach that has compromised the personal information of 56,904,909 accounts belonging to customers of Hot Topic, Box Lunch, and Torrid.
Hot Topic is a prominent American retail chain that focuses on clothing, accessories, and licensed music merchandise associated with counterculture. The company operates more than 640 locations throughout the United States and Canada, primarily situated in shopping malls, and boasts a substantial customer base.
As reported by HIBP, the compromised information includes full names, email addresses, dates of birth, phone numbers, physical addresses, purchase histories, and partial credit card information for customers of Hot Topic, Box Lunch, and Torrid.
The security breach was first reported on BreachForums by a threat actor known as “Satanic” on October 21, 2024. This individual claimed to have acquired 350 million user records from Hot Topic and its affiliated brands, Box Lunch and Torrid.
“Satanic” sought to sell the database for $20,000 and demanded a ransom of $100,000 from Hot Topic to remove the listing from the forums.
A report from HudsonRock, published on October 23, indicated that the breach might have stemmed from an information-stealing malware infection that compromised credentials for a data unification service utilized by Hot Topic.
Despite the seriousness of the situation, Hot Topic has not issued any statements, nor have notifications been sent to potentially affected customers. Data analytics firm Atlas Privacy reported last week that the 730GB database actually affects 54 million customers.
Atlas has further elucidated that the dataset comprises 25 million credit card numbers, which are encrypted using a weak cipher that can be easily decrypted with contemporary computing technology. While Atlas cannot definitively confirm that the database is associated with Hot Topic, it observed that nearly half of the email addresses present were not identified in prior breaches, thereby lending credence to the claims made by the threat actor.
The breach is reported to have taken place on October 19, with the data collection dating back to 2011. The firm has established a website enabling Hot Topic customers to verify whether their email addresses or phone numbers have been compromised in the data leak. In the meantime, the threat actor continues to offer the database for sale, now at a reduced price of $4,000. Customers of Hot Topic who may be affected are advised to remain alert for phishing attempts, closely monitor their financial accounts for any unusual activity, and update their passwords across all platforms where they utilize the same credentials.
