J.Crew Customer Accounts Breached a Year Ago

J.Crew has informed customers that their accounts and personal information may have been compromised by an unauthorized third party, in what appears to be a credential stuffing attack.

The popular US clothing retailer claimed the hacker obtained customer usernames and logins and used them to access the accounts in around April 2019.

“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” the notice read.

“We do not have reason to believe that the unauthorized party gained access to any additional information within your account.”

Still, these details would be enough to craft highly convincing phishing emails designed to elicit further information from customers, with the aim of full-scale identity fraud.

The firm has reset passwords for the affected accounts and urged customers to change the credential if they use it across any other sites.

However, the notice raises one important question: if the incident was detected “through routine and proactive web scanning” by J.Crew, why did it take almost a year to alert customers?

Red Canary co-founder, Chris Rothe, argued that this “scanning” may refer to the firm’s dark web searches for customer data, which may not have elicited the stolen data for months.  

“This is an interesting aspect of breaches that I don't think mo ..

Support the originator by clicking the read the rest link below.