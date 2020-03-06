Clothing Company J.Crew Says A Hacker Accessed Customer Accounts – Experts Comments

It has been reported that clothing giant J.Crew has said an unknown number of customers had their online accounts accessed “by an unauthorised party” almost a year ago, but is only now disclosing the incident. The company said in a filing on Tuesday with the California attorney general that the hacker gained access to the customer accounts in or around April 2019. According to the letter, the hacker obtained information found in the customer’s online account — including card types, the last four digits of card payment numbers, expiration dates, and associated billing addresses. Online accounts also store the customer’s order numbers, shipping confirmation numbers, and shipment statuses.

Robert Capps, VP ,  NuData Security
March 06, 2020
With the potentially-stolen customer data, bad actors can impersonate them online.
Credential stuffing is one of the most common types of attacks across the digital ecosystem. Within the NuData network, we see millions of credential stuffing attempts every day. The number of these credential stuffing attempts that have correct username and passwords is low. Still, if they are not detected, these attacks can access those accounts and any sensitive information in them. This seems ....
Jason Kent, Hacker in Residence,  Cequence Security
March 06, 2020
The attacker generates a list of usernames that work on an application.
We see this every day, an application that doesn’t have protection against rapid credential testing. The attacker generates a list of usernames that work on an application. Once the usernames are known the attackers test large numbers of passwords they have found or created. Eventually the attacker learns the usernames and passwords of several accounts and in the next phase they attack. Both the ....
Jonathan Knudsen, Senior Security Strategist ,  Synopsys
March 06, 2020
Don’t re-use the same password across multiple sites.
For users, there is nothing good about the credential stuffing attack at J. Crew, but there are some useful lessons to be learned. First, credential stuffing is an attack where previously leaked lists of user names and passwords are used to gain unauthorised access to systems. Knowing this, the best course of action is to practice good password hygiene. Don’t re-use the same password across mu ....
