Millions used '123456' as a password in breach affecting 42 million
Millions used '123456' as a password in breach affecting 42 million

Several million online retail customers of German shoe and apparel manufacturer Adidas may have had their personal information compromised in a data breach involving an unauthorized third party.

The $24.77 billion company on Thursday acknowledged in a brief online disclosure that it has begun informing consumers who made purchases via adidas.com/US about a "potential data security incident," after an unnamed party claimed to acquire data linked to Adidas shoppers.

The breached data includes contact information, usernames and encrypted passwords, but apparently not credit card or personal fitness information. While the company's online statement did not put a number of how many consumers have been affected, multiple news reports have cited an Adidas spokesperson as saying "a few million customers" were involved.

In response to the incident, Adidas is "working with leading data security firms and law enforcement authorities to investigate the issue," the company says in its statement.

James Lerud, head of the behavioral research team at Verodin, said in emailed comments that the lack of stolen financials and health information, coupled with the fact that the stolen passwords were encrypted, "leads me to believe that Adidas is following best practices." Nevertheless, he added, "Businesses should take this as a warning that even if you follow best practices, breaches can still happen. Security controls need to be continuously measured, evaluated, and updated to stay ahead."

“The Adidas breach is just another example of how organizations need to maintain security-in-depth to protect their cyber posture," said Mukul Kumar, CISO and vice president of cyber practice at Cavirin. "Here, they need to automate continuous assessment of their servers, and, if they are in the cloud, their cloud security posture, to ensure that any gaps are identified and remediated. Given GDPR, this is even more vital for Adidas given that their HQ is in the EU.”

“Retail websites have become a fertile hunting ground for attackers targeting customer data," said Fred Kneip, CEO at CyberGRX, also in emailed comments. "Even when organizations do everything they can do safeguard their data, attackers have gotten very good at going through third parties to find a way in." In this instance, however, it has not yet been stated how the unauthorized party accessed the adidas.com/US information.