Have I Been Pwned warns that an alleged data breach uncovered the private info of 56,904,909 accounts for Sizzling Subject, Field Lunch, and Torrid clients.
Sizzling Subject is an American retail chain specializing in counterculture-related clothes, equipment, and licensed music merchandise. The corporate operates over 640 shops throughout america and Canada, primarily situated in purchasing malls, and has an unlimited buyer base.
In keeping with HIBP, the uncovered particulars embody full names, e-mail addresses, dates of beginning, cellphone numbers, bodily addresses, buy historical past, and partial bank card information for Sizzling Subject, Field Lunch, and Torrid clients.
The security incident was initially claimed on BreachForums by a menace actor named “Satanic” on October 21, 2024. The menace actor claimed to have stolen 350 million consumer data from Sizzling Subject and its associated manufacturers, Field Lunch and Torrid.
“Satanic” was making an attempt to promote the database for $20,000 whereas additionally demanding a ransom fee of $100,000 from Sizzling Subject to take away the itemizing from the boards.
On the time, BleepingComputer contacted Sizzling Subject to ask concerning the authenticity of the information however acquired no response.
A report from HudsonRock printed on October 23 urged that the breach might have originated from an info stealer malware an infection that stole credentials for a knowledge unification service utilized by Sizzling Subject.
Whereas Sizzling Subject has remained silent, and no notifications had been despatched to doubtlessly impacted clients, information analytics agency Atlas Privateness reported final week that the 730GB database truly impacts 54 million clients.
Moreover, Atlas clarified that the dataset incorporates 25 million bank card numbers encrypted with a weak cipher that is simple to interrupt utilizing trendy computer systems.
Though Atlas isn’t 100% sure the database belongs to Sizzling Subject, it famous that almost half of all e-mail addresses weren’t seen in earlier breaches, additional supporting the legitimacy of the menace actor’s claims.
Altas says the breach seems to have occurred on October 19, and the information spans from 2011 till that date.
The agency has arrange a website that enables Sizzling Subject clients to examine if their e-mail deal with or cellphone quantity is uncovered within the information leak.
In the meantime, the menace actor continues to promote the database, albeit at a lower cost of $4,000.
Probably impacted Sizzling Subject clients ought to keep vigilant for phishing assaults, monitor their monetary accounts carefully for suspicious exercise, and alter their passwords on each platform the place they use the identical credentials.
BleepingComputer has contacted Sizzling Subject once more requesting a remark, however we now have not heard again by publication time.
