Summary
A significant data breach involving Hot Topic, Torrid, and Box Lunch, advertised by the threat actor Satanic, has reportedly exposed the personal data of 350 million customers, including names, emails, addresses, phone numbers, and birthdates, billions of payment details and loyalty points, including the last 4 digits of customers’ credit cards, card types, hashed expiration dates, account holder names and profile identifiers.
Satanic sought $20,000 USD for the stolen data or $100,000 USD from Hot Topic to remove the post. Hudson Rock researchers linked the breach to Infostealers, after identifying an employee from a third-party company, Robling, who was infected by an Infostealer in September 2024. This infection granted access to sensitive credentials associated with Hot Topic’s cloud services, including Snowflake and Looker, platforms frequently targeted in previous breaches.
Satanic claimed the attack exploited a lack of multi-factor authentication (MFA) on a Snowflake account, although this claim remains unverified. Hudson Rock noted that the loyalty points tied to Hot Topic, which reportedly numbered in the billions, can especially be difficult to mitigate as these can be utilized by threat actors for account takeovers, especially since many of the points do contain an expiration date.
Community Impact
The breach highlights the growing threat posed by Infostealers, which have been linked to numerous major cyber incidents in 2024, and raises concerns about identity theft and financial fraud. According to the Hudson Rock report, the scale of this breach not only threatens individuals but also undermines trust in the affected companies, making it a significant reminder of the risks posed by Infostealer infections. RH-ISAC recommends Core Members review the additional intelligence contained in the Hudon Rock report, which contains additional information related to their investigation, including conversations directly with Satanic.
