Breach, Threat Management, Data Security

Credential stuffing attack focuses on glasses retailer Warby Parker

Warby Parker on Thursday disclosed that roughly 198,000 of its customers may have been affected by a credential stuffing attack targeting the eyeglass retail chain.

According to a company press release, an unknown cybercriminal actor has been attempting to access Warby Parker customer accounts by leveraging usernames and passwords that were previously stolen from other companies in unrelated breaches.

Only individuals who repeatedly use the same credentials across multiple accounts are vulnerable to this kind of attack, while those who create unique usernames and passwords each time are protected. For that reason, the company as a precaution contacted its potentially compromised customers and required them to change their passwords.

The unauthorized activity started on Sept. 25 and continued through late November, at which time the scheme was discovered. During those two months, the intruders theoretically could have viewed certain customers' store prescriptions and profile data, although there's no proof this occurred, the company said. The perpetrators also potentially could have placed an order if customers had their payment card information stored. However, Warby Parker said there is no evidence that any payment card information was stolen.

"Customer privacy and security is a key priority for us," said Warby Parker co-founder and co-CEO Dave Gilboa in the press release. "We have reset passwords for potentially affected customers, and we apologize for the inconvenience this may cause them. We want to thank our customers for their patience as we work to protect the security of their data. We have reported this matter to law enforcement and are actively cooperating with them."

Based in New York, Warby Parker currently operates 88 retail locations.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.