Hackers stole data, including partial credit card numbers, on 460,000 Uniqlo Japan online customers in an incident that took place between April 23 and May 10.
“We deeply apologize to our customers and pledge to prevent this from happening again,” according to a statement from Fast Retailing Co., the parent of Uniqlo and GU Japan, which also was hacked. The company, which is investigating the incident, said there is no evidence that the nicked information has been used and encouraged users to reset their passwords – unique from those used with other accounts and services.
“Fast Retailing has determined that a total of 461,091 unauthorized logins occurred between April 23 and May 10, 2019, by means of list type account hacking,” the company said. “Fast Retailing received reports from customers that they had received emails of which they had no knowledge. The company investigated, and confirmed that unauthorized logins had been attempted by external parties between April 23 and May 10, 2019.”
In credential stuffing attacks hackers often use bots to validate login credentials sets, then access credit card data, selling personally identifiable information (PII) on the dark web or use the information to hijack accounts, stealing money and goods.
“Data breaches like UNIQLO create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords,” Distil Networks Co-founder Rami Essaid. “While this is often framed as a problem for the individuals who own the passwords, any online business that has a user login web page is at risk of becoming the next breach headline.”
Noting that “Uniqlo discovered the breach after customers reported strange account activity and after the company blocked the attackers from accessing the company’s computing systems,” Chris Kennedy, CISO and vice president of customer success at AttackIQ, said, “it is alarming that this malicious third party was able to obtain unauthorized access via credential stuffing and elevate its access to move laterally through the company’s network to pilfer the data of approximately 460,000 users before being discovered. This leaves the questions of whether Uniqlo had controls in place to prevent this data from being stolen, if the company has ever tested those controls, or if Uniqlo was exclusively relying on users with user access to not engage in malicious activity.
Among the information that Fast Retailing said hackers may have accessed are customer names, addresses, phone numbers, gender, birthdates, purchase history, clothing measurements, receiver names and the first and last four digits of credit card numbers. The company said it does not display or store CVV numbers.
“Fast Retailing has identified the origin of the communication from which the unauthorized logins were attempted and has blocked access, and is strengthening monitoring of other access points,” the statement said. “On May 13, the company disabled the passwords for the 461,091 user IDs that had been potentially accessed, and is sending individual emails to each person affected.”
The attack “is giving hackers new ammunition that they can load into their automation tool kits to target other retail sites,” said Matt Keil, director of product marketing at Cequence Security. “If, for example, the username and PW were part of the data set that was stolen, then the attackers can count on the fact that 52 percent of users re-use passwords, and an attacker can then load that information into an automation tool and use it to target another retail site.”
Among the other risks, “access to account information gives hackers the ability to takeover the account then steal the value of what is stored within,” said Keil. ‘If the Uniqlo account is holding a credit card for more rapid transactions, or a connection to a payment platform, the attackers can now use that access to purchase goods – effectively stealing those goods impacting both Uniqlo and the users themselves.”
A third risk would be hacker “access to the customer’s loyalty account or the app in Uniqlo’s case – attackers can take those points or the discount coupons and then use them for their own fraudulent purposes,” he said.
The Uniqlo breach “shines a light on the seriousness of hackers carrying out automated attacks at scale. After nearly half a million accounts have been compromised, Uniqlo is urging users to not only reset their passwords, but to create a unique password for their accounts to reduce the chances of being hacked,” said Kevin Gosschalk, CEO at Arkose Labs.
Distil Research Lab’s study of 600 website domains that include login pages, found the sites experienced a 300 percent increase in volumetric attacks after credentials from a breach have been made publicly available.
“Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” said Essaid. “The massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website.”
Resetting passwords “is a good immediate first step,” said Gosschalk, but “companies can’t guarantee users will comply and they could still be at risk. Companies need to actively monitor and protect their attack surface.”