Data leak
β Supply Chain
Hot Topic data breach via infostealer (Robling third party)
Primary Source βIncident Details
Threat actor ‘Satanic’ posted on BreachForums on 21 October 2024 claiming 350 million Hot Topic user records (figure likely inflated); confirmed data set is ~730 GB covering Hot Topic and its brands Box Lunch and Torrid. Data includes email addresses, phone numbers, physical addresses, birth dates, purchase histories, and partially encrypted credit card information. Root cause: infostealer infected a computer at Robling, a third-party retail analytics provider, which had access to Hot Topic’s systems. Ransom demand: $20,000. Hot Topic did not publicly confirm the breach in a timely manner.
Technical Details
- Initial Attack Vector
- CWE-522: Insufficiently Protected Credentials (infostealer malware infected a third-party retail analytics provider, Robling, leaking credentials used to access Hot Topic's systems)
- Vendor / Product
- Hot Topic / Box Lunch / Torrid retail brands
- Malware Family
- Infostealer malware (targeting Robling, third-party analytics vendor)
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2024-10-01 Breach occurred
- 2024-10-21 Publicly disclosed
- 2024-11-01 Customers notified