Have I Been Pwned warns that an alleged knowledge breach uncovered the private info of 56,904,909 accounts for Scorching Subject, Field Lunch, and Torrid clients.
Scorching Subject is an American retail chain specializing in counterculture-related clothes, equipment, and licensed music merchandise. The corporate operates over 640 shops throughout the US and Canada, primarily situated in purchasing malls, and has an enormous buyer base.
In keeping with HIBP, the uncovered particulars embrace full names, e mail addresses, dates of delivery, cellphone numbers, bodily addresses, buy historical past, and partial bank card knowledge for Scorching Subject, Field Lunch, and Torrid clients.
The safety incident was initially claimed on BreachForums by a risk actor named “Satanic” on October 21, 2024. The risk actor claimed to have stolen 350 million person information from Scorching Subject and its associated manufacturers, Field Lunch and Torrid.
“Satanic” was making an attempt to promote the database for $20,000 whereas additionally demanding a ransom fee of $100,000 from Scorching Subject to take away the itemizing from the boards.
On the time, BleepingComputer contacted Scorching Subject to ask in regards to the authenticity of the information however obtained no response.
A report from HudsonRock revealed on October 23 instructed that the breach could have originated from an info stealer malware an infection that stole credentials for a knowledge unification service utilized by Scorching Subject.
Whereas Scorching Subject has remained silent, and no notifications have been despatched to doubtlessly impacted clients, knowledge analytics agency Atlas Privateness reported final week that the 730GB database truly impacts 54 million clients.
Moreover, Atlas clarified that the dataset accommodates 25 million bank card numbers encrypted with a weak cipher that is straightforward to interrupt utilizing fashionable computer systems.
Though Atlas just isn’t 100% sure the database belongs to Scorching Subject, it famous that just about half of all e mail addresses weren’t seen in earlier breaches, additional supporting the legitimacy of the risk actor’s claims.
Altas says the breach seems to have occurred on October 19, and the information spans from 2011 till that date.
The agency has arrange a web site that permits Scorching Subject clients to verify if their e mail deal with or cellphone quantity is uncovered within the knowledge leak.
In the meantime, the risk actor continues to promote the database, albeit at a lower cost of $4,000.
Probably impacted Scorching Subject clients ought to keep vigilant for phishing assaults, monitor their monetary accounts carefully for suspicious exercise, and alter their passwords on each platform the place they use the identical credentials.
BleepingComputer has contacted Scorching Subject once more requesting a remark, however we now have not heard again by publication time.