Jeans giant forces a password reset for affected users.
Levi Strauss has reported a credential stuffing attack which may have compromised around 72,000 customer accounts.
The denim giant apparently said attackers were able to re-use passwords from other sites in order to access customer accounts, and potentially expose names, emails, mailing addresses, order history, and some payment card data.
“On June 13th we identified an unusual spike in activity on our website,” Levi’s said. “Our investigation showed characteristics associated with a ‘credential stuffing’ attack where bad actor(s) who have obtained compromised account credentials from another source (such as a third-party data breach) then use a bot attack to test these credentials against another website.”
Forced Resets
To remedy the matter, Levi Strauss has forced password resets for all of the stolen accounts, and the company is advising users to pick unique passwords this time in order to avoid further credential stuffing attacks.
“In an abundance of caution, we responded to the attack by promptly de[1]activating account credentials for all user accounts that were accessed during the relevant time period,” Levi’s said.
Thomas Richards, principal consultant at the Synopsys Software Integrity Group, said: “Fortunately in this case, only customer emails were compromised and not complete credit card numbers or other private information.
“While the addresses may already be known publicly, this would allow an attacker to craft targeted phishing campaigns about this brand to elicit the targets to perform an action like resetting a password on a malicious landing page resembling the official one. The partially compromised credit card information would provide the attackers with a pretext of a legitimate transaction failing."
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.