Have I Been Pwned warns that an alleged knowledge breach uncovered the private data of 56,904,909 accounts for Sizzling Subject, Field Lunch, and Torrid prospects.
Sizzling Subject is an American retail chain specializing in counterculture-related clothes, equipment, and licensed music merchandise. The corporate operates over 640 shops throughout the US and Canada, primarily situated in procuring malls, and has an enormous buyer base.
In accordance with HIBP, the uncovered particulars embrace full names, electronic mail addresses, dates of beginning, cellphone numbers, bodily addresses, buy historical past, and partial bank card knowledge for Sizzling Subject, Field Lunch, and Torrid prospects.
The safety incident was initially claimed on BreachForums by a menace actor named “Satanic” on October 21, 2024. The menace actor claimed to have stolen 350 million consumer information from Sizzling Subject and its associated manufacturers, Field Lunch and Torrid.
“Satanic” was trying to promote the database for $20,000 whereas additionally demanding a ransom cost of $100,000 from Sizzling Subject to take away the itemizing from the boards.
On the time, BleepingComputer contacted Sizzling Subject to ask concerning the authenticity of the information however acquired no response.
A report from HudsonRock revealed on October 23 urged that the breach could have originated from an data stealer malware an infection that stole credentials for an information unification service utilized by Sizzling Subject.
Whereas Sizzling Subject has remained silent, and no notifications have been despatched to doubtlessly impacted prospects, knowledge analytics agency Atlas Privateness reported final week that the 730GB database really impacts 54 million prospects.
Moreover, Atlas clarified that the dataset accommodates 25 million bank card numbers encrypted with a weak cipher that is simple to interrupt utilizing fashionable computer systems.
Though Atlas just isn’t 100% sure the database belongs to Sizzling Subject, it famous that just about half of all electronic mail addresses weren’t seen in earlier breaches, additional supporting the legitimacy of the menace actor’s claims.
Altas says the breach seems to have occurred on October 19, and the information spans from 2011 till that date.
The agency has arrange a website that permits Sizzling Subject prospects to test if their electronic mail tackle or cellphone quantity is uncovered within the knowledge leak.
In the meantime, the menace actor continues to promote the database, albeit at a lower cost of $4,000.
Probably impacted Sizzling Subject prospects ought to keep vigilant for phishing assaults, monitor their monetary accounts carefully for suspicious exercise, and alter their passwords on each platform the place they use the identical credentials.
BleepingComputer has contacted Sizzling Subject once more requesting a remark, however we now have not heard again by publication time.
