A data breach disclosed by American luxury retailer Neiman Marcus in May 2024 has compromised over 31 million customer email addresses, as reported by Troy Hunt, the founder of Have I Been Pwned, who examined the stolen data.
Hunt’s analysis follows the company’s breach notification filing with the Office of the Maine Attorney General, which stated that the breach affected only 64,472 individuals.
In a separate notification on its website, Neiman Marcus detailed that the exposed data included names, contact information (such as email and postal addresses, and phone numbers), dates of birth, gift card details, transaction data, partial credit card information (excluding expiration dates or CVVs), Social Security numbers, and employee ID numbers.
During his review of the stolen data, Hunt identified 30 million unique email addresses. He informed BleepingComputer that he verified the legitimacy of the information with several individuals whose data was included in the stolen database.
“That’s obviously a substantial number and I do want to get notifications out to them promptly. The total unique number of addresses I’ll be referring to is 31,152,842,” Hunt told BleepingComputer.
Approximately 105,000 Have I Been Pwned subscribers found in the data set will receive an email about this significant data breach, according to Hunt.
When BleepingComputer reached out to Neiman Marcus for comment on Hunt’s findings, a spokesperson declined to provide further information and directed them to the data security notification on the company’s website. They clarified that the 64,472 individuals mentioned in the Maine filing are those who have been notified about the data breach.
Data stolen in Snowflake data theft attack
In June, Neiman Marcus linked its data breach to the Snowflake data theft attacks in a statement to BleepingComputer after initially disclosing the incident.
“Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake,” the company stated.
The disclosure and breach notifications followed a threat actor known as “Sp1d3r” listing Neiman Marcus’ data for sale on a hacking forum, demanding $150,000 for 12 million gift card numbers, 70 million transactions with full customer details, and 6 billion rows of customer shopping records, store information, and employee data.
Neiman Marcus data for sale on hacking forum (HacManac)
Initially, the threat actor claimed the company refused to pay an extortion demand, but later removed the forum post and data sample, suggesting potential negotiations.
A joint investigation by SnowFlake, Mandiant, and CrowdStrike revealed that a financially motivated threat actor, identified as UNC5537, used stolen customer credentials to target at least 165 organizations that had not configured multi-factor authentication (MFA) protection on their SnowFlake accounts.
Recent breaches connected to these attacks, which began in May 2024, include Ticketmaster, Santander, Pure Storage, QuoteWizard/LendingTree, Advance Auto Parts, and Los Angeles Unified School District.
Source: BleepingComputer, Sergiu Gatlan