Have I Been Pwned reports that a suspected data breach has compromised the personal details of 56,904,909 customer accounts linked to Hot Topic, BoxLunch, and Torrid.
Hot Topic, an American retail chain, specializes in alternative fashion, accessories, and licensed pop culture merchandise. With over 640 stores across the United States and Canada, primarily in shopping malls, the company has established a broad customer reach.
According to HIBP, the breached information includes full names, email addresses, birth dates, phone numbers, physical addresses, purchase histories, and partial credit card data of customers from Hot Topic, BoxLunch, and Torrid.
The breach was first disclosed on BreachForums by a threat actor using the alias “Satanic” on October 21, 2024. The actor claimed to possess 350 million user records from Hot Topic and its associated brands, BoxLunch and Torrid.
“Satanic” attempted to sell the data for $20,000 and issued a ransom demand of $100,000 from Hot Topic to remove the listing from the forums.
At the time, BleepingComputer reached out to HT to verify the authenticity of the data but did not receive a response.
An October 23 report by HudsonRock suggested that the breach may have resulted from an information-stealer malware infection, compromising credentials for a data unification service utilized by Hot Topic.
Despite Hot Topic’s silence and the absence of notifications for potentially affected customers, data analytics firm Atlas Privacy reported last week that the 730GB database actually affects 54 million customers.
Atlas further indicated that the dataset includes 25 million credit card numbers encrypted with a weak cipher, which could be easily decrypted with modern computing power.
While Atlas is not entirely certain that the database is from Hot Topic, the firm noted that nearly half of the email addresses in the database had not appeared in previous breaches, lending credibility to the threat actor’s claims.
Atlas suggests that the breach likely occurred on October 19, covering data spanning from 2011 to that date.
The firm has also launched a site where HT customers can check if their email addresses or phone numbers are included in the data leak.
Meanwhile, the threat actor has reduced the database’s price to $4,000, continuing to offer it for sale.
Potentially impacted Hot Topic customers are advised to be vigilant against phishing attempts, monitor financial accounts closely for any suspicious activity, and change passwords on platforms where they use the same login credentials.
BleepingComputer has reached out to Hot Topic again for a comment, but no response was received by publication time.
Source: BleepingComputer, Bill Toulas
