❌

Reading view

There are new articles available, click to refresh the page.

AmericanΒ fast-fashionΒ firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers’ personal information and partial payment data.

Hot Topic, Inc.Β is an AmericanΒ fast-fashionΒ company specializing inΒ counterculture-relatedΒ clothingΒ andΒ accessories, as well as licensed music.

The company was the victim of credential stuffing attacks against its website and mobile application on November 18-19 and November 25, 2023. The attackers detected suspicious login activity to certain Hot Topic Rewards accounts.

Threat actors obtained valid account credentials obtained from an unknown third-party source.

β€œCredential stuffingΒ is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both.Β 

β€œWe recently identified suspicious login activity to certain Hot Topic Rewards accounts. Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on November 18-19 and November 25, 2023 using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source. Hot Topic was not the source of the account credentials used in these attacks.” reads the notification sent to the potentially impacted customers.

The company informed customers that it could not confirm whether unauthorized third parties accessed any accounts or if the logins were legitimate customer access during the relevant periods. The company only observed that the account credentials of potentially impacted customers were used to log into their Rewards account.

β€œIt’s important to note that we have not concluded any unauthorized access to your Hot Topic Rewards account. We’re sending you this notice as a precautionary measure.” continues the notification.

Threat actors may have accessed customers’ names, email addresses, order history, phone numbers, month and day of their births, and mailing addresses. If the potentially impacted customers had saved a payment card to their Rewards account, threat actors could have accessed the last four digits of the card number.

Hot Topic revealed that after detecting the suspicious activity, they launched an investigation with the help of outside cybersecurity experts. The company also announced the implementation of specific measures to improve the website and mobile application protection from credential stuffing attacks. The company also recommends changing the account password.

Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon

PierluigiΒ Paganini

(SecurityAffairs – hacking,Β credential stuffing)

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to trigger a denial-of-service (DoS) condition.

Cisco this week released patches to address multiple IOS and IOS XE software vulnerabilities. An unauthenticated attacker can exploit several issues fixed by the IT giant to cause a denial-of-service (DoS) condition.

Below are the most severe issues addressed by the company:

CVE-2024-20311 (CVSS score 8.6) – A vulnerability in the Locator ID Separation Protocol (LISP) feature of Cisco IOS Software and Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause an affected device to reload.

CVE-2024-20314 (CVSS score 8.6) – A vulnerability in the IPv4 Software-Defined Access (SD-Access) fabric edge node feature of Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause high CPU utilization and stop all traffic processing, resulting in a denial of service (DoS) condition on an affected device.

CVE-2024-20307 – CVE-2024-20308 (CVSS score 8.6) – Multiple vulnerabilities in the Internet Key Exchange version 1 (IKEv1) fragmentation feature of Cisco IOS Software and Cisco IOS XE Software. An attacker could allow an unauthenticated, remote attacker to cause a heap overflow or corruption on an affected system.

CVE-2024-20259 (CVSS score 8.6) – A vulnerability in the DHCP snooping feature of Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.

CVE-2024-20303 (CVSS score 7.4) – A vulnerability in the multicast DNS (mDNS) gateway feature of IOS XE Software for Wireless LAN Controllers (WLCs). An unauthenticated, adjacent attacker can trigger the flaw to cause a denial of service (DoS) condition.

The company also addressed other high and medium-severity vulnerabilities in Access Point Software, Catalyst Center, and Aironet Access Point Software.

Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon

PierluigiΒ Paganini

(SecurityAffairs – hacking,Β Cisco)

❌