Almost half a million accounts have been compromised as the internal server of the famous Japanese clothing brand, UNIQLO, has been breached, according to a notification sent out by the company today.
The announcement states that the UNIQLO Japan and GU Japan online stores have been hacked and third parties were able to gain access to 461,091 customer accounts following a credential stuffing attack on their servers.
According to the notification that the company sent out to the affected accounts, the credentials stuffing attack which led to the data breach, took place between April 23rd and May 10th this year. However, the number of compromised account could possibly be higher because the investigation is yet to be concluded.
“While the number of incidents and circumstances may change during the course of the investigation, Fast Retailing is today providing notice of the facts as determined at present, and the company’s response,” says Fast Retailing.
According to the notification, the following are the data that the hackers were able to access following the data breach:
• Customer name (last name and first name)
• Customer address (postal code, address, and apartment number)
• Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
• Receiver name (last name and first name), address, and phone number
• Customer partial credit card information (cardholder name, expiration date, and a portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.
As a response to the attack, the company has successfully disabled the passwords of almost half a million compromised accounts to mitigate and control the situation. The disabling of account passwords took place on May 13th and is limited only to UNIQLO Japan and GU Japan online shop customers. They also sent emails of notification to the affected account holders to warn them regarding the data breach and to ask them to reset their passwords immediately.
The discovery of the breach comes after multiple customer complaints about odd and questionable account activities. Immediately upon discovery, Fast Retailing blocked the attackers from accessing the company’s computing systems and strengthen their “monitoring of other access points.”
“Fast Retailing has also filed a report of damages regarding the unauthorized logins with the Tokyo Metropolitan Police,” states the data breach notification.
Highlighting the risks that come with the data breach, the company also warned its customers to change their passwords especially if they are using them on other online platforms.
“Fast Retailing is, therefore, requesting everyone who uses the same user ID or password with other services, not just the customers who have been contacted individually, to change their passwords immediately. The company recognizes that protecting customer information is a matter of the highest priority, considering this incident extremely seriously, and is strengthening monitoring of unauthorized access, as well as taking other steps to ensure further that customers are able to shop with safety,” they wrote.
Credential stuffing attacks have been designed by hackers to be completely automated, making use of extensive collections of stolen credentials bought from the black market to be able to brute force their entry to a computing system. Other several companies have been attacked by this type of modus operandi from the hackers. Credential stuffing attacks have also infiltrated the networks of other popular brands such as TurboTax, Dunkin’ Donuts, Basecamp, and Dailymotion in the first quarter of 2019.
Interestingly, a recent study has suggested that the first quarter of 2019 has the worst cybersecurity record seeing a significant increase in disclosed data breaches from January to March. It was revealed by the Risk-Based Security on May 7th that there were 1,904 publicly disclosed data breaches in the first three months. Aggregately, the breaches were able to expose more than 1.9 billion records which include but are not limited to names, passwords, email addresses, credit card information, phone numbers, and IP addresses.
According to the press release by the tech firm, there is “no other first quarter [that] has seen this level of activity.” The massive increase in the number of publicly available and reported cases of data compromise compels the firm to infer that 2019 could be another “worst year on record.”