The Target: American retail chain Hot Topic.
The Take: A threat actor obtained the valid account credentials for Hot Topic Rewards accounts from an unknown third party.
The Vector: The series of breaches that occurred between Feb. 7 and June 21 was the result of automated credential stuffing attacks against the company’s website and mobile application.
This breach is a reminder of how authentication controls are an important part of an overall robust cybersecurity posture, and more critically, ensuring these controls are in place on all third-party vendors which have access to a firm’s data.