A Might 2024 data breach disclosed by American luxurious retailer and division retailer chain Neiman Marcus final month has uncovered greater than 31 million buyer electronic mail addresses, in keeping with Have I Been Pwned founder Troy Hunt, who analyzed the stolen information.
Hunt’s findings come after the corporate filed a breach notification with the Workplace of the Maine Legal professional Normal, stating that the breach solely impacted 64,472 folks.
In a separate incident notification printed on its web site, Neiman Marcus revealed that the info uncovered within the assault included names, contact data (e.g., electronic mail and postal addresses, and telephone numbers), dates of start, reward card data, transaction information, partial bank card (with out expiration dates or CVVs) and Social Safety numbers, and worker identification numbers.
Whereas analyzing the info stolen within the breach, Hunt discovered 30 million distinctive electronic mail addresses and informed BleepingComputer that he additionally confirmed with a number of folks whose information was within the stolen database that the knowledge was authentic.
“That is clearly a considerable quantity and I do need to get notifications out to them promptly. The whole distinctive variety of addresses I will be referring to is 31,152,842,” Hunt informed BleepingComputer.
He mentioned that roughly 105,000 Have I Been Pwned subscribers discovered within the information set will obtain an electronic mail informing them of this huge data breach.
When BleepingComputer contacted a Neiman Marcus spokesperson to substantiate Hunt’s findings, they declined to remark. As an alternative, they pointed us to the info security notification printed on the corporate’s web site and mentioned that the 64,472 folks talked about within the Maine submitting are those that have acquired data breach notifications.
Data stolen in Snowflake information theft assault
In June, after it first disclosed the data breach, Neiman Marcus additionally linked the incident to the Snowflake information theft assaults in a press release to BleepingComputer.
“Neiman Marcus Group (NMG) not too long ago discovered that an unauthorized occasion gained entry to a cloud database platform utilized by NMG that’s supplied by a 3rd occasion, Snowflake,” the corporate informed BleepingComputer.
The disclosure and the data breach notifications got here after a risk actor utilizing the “Sp1d3r” deal with put Neiman Marcus’ information up on the market on a hacking discussion board, asking $150,000 for 12 million reward card numbers, 70 million transactions with full buyer particulars, and 6 billion rows of buyer buying data, retailer data, and worker information.
Whereas the risk actor first mentioned the corporate refused to pay an extortion demand, it subsequently took down the discussion board publish and the info pattern, hinting that the corporate might have begun negotiating.
A joint investigation by SnowFlake, Mandiant, and CrowdStrike revealed {that a} financially motivated risk actor tracked as UNC5537 used stolen buyer credentials to focus on at the very least 165 organizations that didn’t configure multi-factor authentication (MFA) safety on their SnowFlake accounts.
Latest breaches linked to those assaults, which began in Might 2024, embrace Ticketmaster, Santander, Pure Storage, QuoteWizard/LendingTree, Advance Auto Elements, and Los Angeles Unified.
