Warby Parker on Thursday disclosed that roughly 198,000 of its customers may have been affected by a credential stuffing attack targeting the eyeglass retail chain.
According to a company press release, an unknown cybercriminal actor has been attempting to access Warby Parker customer accounts by leveraging usernames and passwords that were previously stolen from other companies in unrelated breaches.
Only individuals who repeatedly use the same credentials across multiple accounts are vulnerable to this kind of attack, while those who create unique usernames and passwords each time are protected. For that reason, the company as a precaution contacted its potentially compromised customers and required them to change their passwords.
The unauthorized activity started on Sept. 25 and continued through late November, at which time the scheme was discovered. During those two months, the intruders theoretically could have viewed certain customers’ store prescriptions and profile data, although there’s no proof this occurred, the company said. The perpetrators also potentially could have placed an order if customers had their payment card information stored. However, Warby Parker said there is no evidence that any payment card information was stolen.
“Customer privacy and security is a key priority for us,” said Warby Parker co-founder and co-CEO Dave Gilboa in the press release. “We have reset passwords for potentially affected customers, and we apologize for the inconvenience this may cause them. We want to thank our customers for their patience as we work to protect the security of their data. We have reported this matter to law enforcement and are actively cooperating with them.”
Based in New York, Warby Parker currently operates 88 retail locations.