U.S. men’s clothing retailer Bonobos reported a data breach following a hacking incident that exposed the data of seven million customers.
About 70GB worth of data contains names, telephone numbers, and payment details of 1.8 million customers, including some passwords encrypted with hashing algorithms. The database also contains 3.5 million records of the last four digits of credit cards.
According to reports, a threat actor called ShinyHunters has downloaded a cloud backup of the database and posted the information in a hacker’s forum. Meanwhile, Bonobos said all corporate systems aren’t affected by the data breach, only customer information.
The hacker is notorious for hacking online services and then sell information on the black market. The number of records was categorized per registered customers, orders, and account information.
In addition, the threat actor claimed it has cracked the encrypted passwords for 158,000 SHA 256 passwords but failed to crack the remaining SHA 512 passwords. The hacker also made the hacked passwords into a combolist for stuffing attacks.
Turn of Events
It was BleepingComputer who reported the incident to Bonobos, following the information posted on a hacker’s forum. Immediately, the company responded that no internal system access was made, but a backup file was hosted in an external cloud environment.
“We’re investigating this matter further and so far, have found no evidence of unauthorized parties gaining access to Bonobos’ internal system. We contacted the host provider to resolve this issue as soon as we became aware of it,” said Bonobos in an email to BleepingComputer.
From contacting the hosting provider, the clothing company also made precaution steps to turn off further access points and to invalidate account passwords to secure customer accounts. The company is also emailing the customers to notify them about the incident.
“We’ll continue to share updates with customers as they become available,” added the retailer.
Threat actors can perform phishing attacks using the credentials stolen from the database. With this, Bonobos is warning customers to change their existing passwords and use a unique one for the mobile accounts.
The company said they will never ask for any account information, so texts or emails asking for such information could be a phishing or hacking incident.
All Bonobos apparel can also be bought on Walmart’s website, but there’s no evidence showing that the website is compromised due to the hacking incident.
According to BleepingComputer, data stolen can be dated back from 2014, when Walmart bought the Bonobos company.