Customers of American retailer Hot Topic are being notified about multiple “credential-stuffing” cyberattacks that resulted in cracked accounts and sensitive information being exposed to hackers, occurring between Feb. 7 and June 21.

According to a notice to customers, Hot Topic said that it identified suspicious login activity for multiple “Hot Topic Rewards” accounts. After undergoing an investigation, the company determined that automated attacks had been launched against their website as well as its mobile application on multiple different dates, using account credentials that Hot Topic was not the source of.

The type of personal information the unknown threat actors may have accessed are names, email addresses, order histories, phone numbers, mailing addresses, and birthdays. And if a Hot Topic rewards member had a payment card saved to their account, the threat actors would have also been able to see the last four digits of the card number.

Credential-stuffing attacks occur when cybercriminals run an automated script to attempt logins to accounts using lists of stolen user names and passwords purchased on the Dark Web. The attackers bank on users not changing their passwords regularly, or reusing the same password across multiple sites.  

“The recent Hot Topic data breach underscores two intertwined security challenges: compromised credentials, and distinguishing between normal and abnormal behavior,” Tyler Farrar, CISO at Exabeam, wrote in an emailed statement. “Valid credentials … provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins. Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards … all contribute to a resilient defense against credential-based attacks.”

Hot Topic asserted that it is taking the account breaches very seriously, working alongside cybersecurity experts and implementing new measures and steps to safeguard its website and mobile application from these types of automated credential-stuffing attacks. 

In the meantime, Hot Topic has emailed users with instructions to reset their credentials, encouraging them to use strong and unique passwords for its website to avoid future data breaches.