Hack of Japanese Retailer Exposes 460,000 Customer AccountsFast Retailing Says Credential Stuffing Suspected
Fast Retailing, which owns several of Japan's biggest retail clothing chains, is warning of an attack that may have exposed personal information, including email addresses and partial credit card information, of more than 460,000 of the company's online customers.
The attack is affecting the company's Uniqlo Japan and GU Japan online retail brands. Fast Retailing warns that the number of victims could grow as the investigation continues.
Sometime between April 23 and May 10, an attacker hacked into the company's network and accessed more than 460,000 customers accounts, Fast Retailing says in a statement. It appears the attackers used "list type account" - or credential stuffing - techniques to guess passwords and users names, the company notes.
Company representatives were first tipped off to the breach when customers began contacting them about receiving unauthorized emails. Later, a security check found the spot in the network where the data was leaking and closed off access. As a result, Fast Retailing is working on strengthening security around various endpoints, according to the statement.
The exposed data potentially includes:
- Customers' names and addresses;
- Personal data, including phone numbers, mobile phone numbers, email address, gender, date of birth, purchase history and even clothing measurements;
- Partial credit card information, including cardholders' name, expiration dates, and a portion of the credit card number. CVV numbers, however, were not displayed or stored.
"Fast Retailing sincerely apologizes for the trouble and concern this has caused to its customers and all others involved," according to the statement. "Going forward, the company will further strengthen its security measures and take steps to ensure safety, in order to prevent similar incidents in the future."
The company, along with the Tokyo Metropolitan Police, are investigating, and the retailer is asking customers to reset their passwords and to closely monitor their account activity.
Credential Stuffing & Retail
Credential stuffing, a technique where cybercriminals use passwords and usernames stolen from one site to attempt an attack on another, is becoming a greater concern because commodity software and specialized bots are making it easier to pull off this type of attack, according to security researchers (see: Bot-Driven Credential Stuffing Attacks).
In 2018, security vendor Akamai recorded approximately 30 billion credential stuffing attempts during the course of those 12 months, according to a recently released company report. That comes to about 115 million credential stuffing attempts each day, with a spike of 250 million potential attacks each day during certain times of the year.
Credentials also come cheap. For instance, the Akamai report found a set of some 5 billion email addresses and passwords for sale on the dark net for only $5.20 for the entire file.
Along with video-streaming services and entertainment companies, retail stores are a prime target for these types of attacks, according to the Akamai report. But even high-tech companies, such as Citrix, are also potential victims (see: Citrix Hackers Camped in Tech Giant's Network for 6 Months).
In most cases, the vast amount of financial information that retail stores retain, along with the bad passwords habits of customers, make these types of attacks a lucrative endeavor, Terence Jackson, the CISO of Washington-based security firm Thycotic Software, tells Information Security Media Group.
"This attack is no different than other ones we have seen that use credential spraying and stuffing with passwords that have been disclosed from other breaches," Jackson says. "Consumers accept some of the responsibility by reusing passwords across multiple site and not enabling multifactor authentication when available. This, yet again, is another lesson on the importance of using a password manager to better secure your online identities."
In the case of Fast Retailing, it does appear that many of the company's customers were reusing old passwords within their online accounts, according to the company statement.