Have I Been Pwned warns that an alleged data breach exposed the personal information of 56,904,909 accounts for Hot Topic, Box Lunch, and Torrid customers.
Hot Topic is an American retail chain specializing in counterculture-related clothing, accessories, and licensed music merchandise. The company operates over 640 stores across the United States and Canada, primarily located in shopping malls, and has a vast customer base.
According to HIBP, the exposed details include full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card data for Hot Topic, Box Lunch, and Torrid customers.
The security incident was initially claimed on BreachForums by a threat actor named “Satanic” on October 21, 2024. The threat actor claimed to have stolen 350 million user records from Hot Topic and its related brands, Box Lunch and Torrid.
“Satanic” was attempting to sell the database for $20,000 while also demanding a ransom payment of $100,000 from Hot Topic to remove the listing from the forums.
At the time, BleepingComputer contacted Hot Topic to ask about the authenticity of the data but received no response.
A report from HudsonRock published on October 23 suggested that the breach may have originated from an information stealer malware infection that stole credentials for a data unification service used by Hot Topic.
While Hot Topic has remained silent, and no notifications were sent to potentially impacted customers, data analytics firm Atlas Privacy reported last week that the 730GB database actually impacts 54 million customers.
Additionally, Atlas clarified that the dataset contains 25 million credit card numbers encrypted with a weak cipher that’s easy to break using modern computers.
Although Atlas is not 100% certain the database belongs to Hot Topic, it noted that nearly half of all email addresses were not seen in previous breaches, further supporting the legitimacy of the threat actor’s claims.
Altas says the breach appears to have occurred on October 19, and the data spans from 2011 until that date.
The firm has set up a site that allows Hot Topic customers to check if their email address or phone number is exposed in the data leak.
Meanwhile, the threat actor continues to sell the database, albeit at a lower price of $4,000.
Potentially impacted Hot Topic customers should stay vigilant for phishing attacks, monitor their financial accounts closely for suspicious activity, and change their passwords on every platform where they use the same credentials.
BleepingComputer has contacted Hot Topic again requesting a comment, but we have not heard back by publication time.