Jeans giant forces a password reset for affected users.
Levi Strauss has reported a credential stuffing attack which may have compromised around 72,000 customer accounts.
The denim giant apparently said attackers were able to re-use passwords from other sites in order to access customer accounts, and potentially expose names, emails, mailing addresses, order history, and some payment card data.
“On June 13th we identified an unusual spike in activity on our website,” Levi’s said. “Our investigation showed characteristics associated with a ‘credential stuffing’ attack where bad actor(s) who have obtained compromised account credentials from another source (such as a third-party data breach) then use a bot attack to test these credentials against another website.”
To remedy the matter, Levi Strauss has forced password resets for all of the stolen accounts, and the company is advising users to pick unique passwords this time in order to avoid further credential stuffing attacks.
“In an abundance of caution, we responded to the attack by promptly de[1]activating account credentials for all user accounts that were accessed during the relevant time period,” Levi’s said.
Thomas Richards, principal consultant at the Synopsys Software Integrity Group, said: “Fortunately in this case, only customer emails were compromised and not complete credit card numbers or other private information.
“While the addresses may already be known publicly, this would allow an attacker to craft targeted phishing campaigns about this brand to elicit the targets to perform an action like resetting a password on a malicious landing page resembling the official one. The partially compromised credit card information would provide the attackers with a pretext of a legitimate transaction failing."
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
