J.Crew suffered a credential stuffing attack that may have compromised the personal data of customers, the U.S. clothing retailer disclosed earlier this week. Fraudulent activity was apparently noticed last spring, but the firm did not reveal the number of compromised accounts on their website.
In a data breach notice sent to shoppers, the company states that “through routine and proactive web scanning, we recently discovered information related to your jcrew.com account. Based on our review, we believe your email address (used as your jcrew.com username) and password were obtained by an unauthorized party and in or around April 2019 used to log into your jcrew.com account.”
It’s unclear why it took the company almost a year to notify users, but studies show it takes an average of 197 days to identify a data breach. Although the number of victims was not revealed, California law obliges companies to send out security breach notices only if the incident affected more than 500 residents. It’s is safe to assume the number of victims falls above that, potentially by an order of magnitude.
On top of the compromised email addresses and passwords, the threat actor could have accessed additional information stored on the account, including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order number and shipping confirmation numbers, along with order status. In attempt to minimize the damages, the company disabled the accounts marked with suspicious activity, and asked users to reset their login passwords.
Data breaches and data leaks often take a long time to discover. Don’t rely solely on corporate notification emails – a company can’t notify you of a data breach or security incident unless they know about it. As with any such leak incident, you should start changing the password for all of your accounts, and by no means should you recycle any old passwords just because it’s easier for you to memorize. Should you find it difficult, you can always use a passwords manager. Don’t forget to keep your security solution up to date and monitor all your online accounts for suspicious activity. It’s always a good idea to enable 2FA (two-factor authentication) for all of your e-commerce and social media websites. If somebody tries to access your account, you’ll be notified of any questionable activity so you can take immediate action.