A recent cyberattack has exposed the personal and financial data of around 57 million Hot Topic customers, compromising millions of email addresses, partial credit card details, and extensive customer information. The cybersecurity firm Hudson Rock initially publicized the breach on October 23, 2024, now with Atlas Privacy confirming.
In what appears to be one of the largest retail data breaches in recent history, the personal information of millions of Hot Topic customers is now potentially in the hands of cybercriminals. This breach has also affected Hot Topic’s affiliated brands, Torrid and BoxLunch, which all share customer data through their loyalty programs. The compromised data is already being offered on dark web forums by a hacker using the alias “Satanic.” The actor is now attempting to sell the information for $20,000 and is asking Hot Topic for $100,000 to delete the thread.
According to Hudson Rock, the breach likely originated from an infostealer malware infection on an employee’s computer. The employee comes from Robling, a retail analytics firm working with Hot Topic. The malware captured login credentials, allowing the hacker access to Hot Topic’s databases hosted on platforms like Snowflake and Looker. From there, “Satanic” was able to download a significant amount of customer data.
A Massive Scope and Alarming Details
Atlas Privacy confirmed that around 57 million unique email addresses and 25 million credit cards were impacted. The stolen database also contains names, addresses, phone numbers, and birth dates. The breach also includes partial credit card information, with details like card type, last four digits, and hashed expiration dates, leaving the data vulnerable to decryption attempts.
“It’s very likely we’ll decrypt the whole thing in the next few days,” said Arnaud de Saint Méloir, Atlas Privacy’s researcher. He pointed out that the encryption and security measures that Hot Topic used are minimal.
“The scale of this breach not only threatens individuals but also undermines trust in the affected companies,” Hudson Rock’s researchers emphasized. They warned the data could trigger identity theft, fraud, and account takeovers. Partial card data could allow criminals to reconstruct full card details for unauthorized purchases.
Response and Caution for Affected Customers
Hot Topic has yet to release an official statement or provide steps for affected customers. However, Hudson Rock and Atlas Privacy advise anyone concerned about potential exposure to verify their information on security sites like Have I Been Pwned or DataBreach.com, which have added this incident to their databases.