J.Crew has informed customers that their accounts and personal information may have been compromised by an unauthorized third party, in what appears to be a credential stuffing attack.
The popular US clothing retailer claimed the hacker obtained customer usernames and logins and used them to access the accounts in around April 2019.
“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” the notice read.
“We do not have reason to believe that the unauthorized party gained access to any additional information within your account.”
Still, these details would be enough to craft highly convincing phishing emails designed to elicit further information from customers, with the aim of full-scale identity fraud.
The firm has reset passwords for the affected accounts and urged customers to change the credential if they use it across any other sites.
However, the notice raises one important question: if the incident was detected “through routine and proactive web scanning” by J.Crew, why did it take almost a year to alert customers?
Red Canary co-founder, Chris Rothe, argued that this “scanning” may refer to the firm’s dark web searches for customer data, which may not have elicited the stolen data for months.
“This is an interesting aspect of breaches that I don't think most people realize. The time from when a breach is discovered to when it is disclosed can be a long time depending on how difficult the investigation is, how sensitive the data is, etc,” he said.
“As a J.Crew consumer I may have an expectation that if someone compromises my account, the company will tell me immediately. The reality is it could take a very long time especially for organizations with weak detection and response capabilities.”
Retail is one of the most frequently targeted sectors for credential stuffing attacks. Akamai detected nearly 28 billion attempts on retail customer accounts in an eight-month period in 2018.
Registration is now open! Join the Infosecurity Magazine Online Summit. Download the full agenda & find out more #IMOS20 https://bit.ly/2IigL69