Hackers used credential-stuffing to compromise over 70k Levi Strauss customer accounts

U.S. clothing giant Levi Strauss said it experienced a data security incident that compromised the sensitive personal information of more than 70,000 individuals.

 

In a recent data breach notice filed with the Office of the Maine Attorney General, the maker of the famous Levi’s denim jeans said that on June 13, it identified an unusual spike in activity on its website. The company immediately launched an investigation to determine the nature and scope of the incident.

 

“Our investigation showed characteristics associated with a “credential stuffing” attack where bad actor(s) who have obtained compromised account credentials from another source (such as a third-party data breach) then use a bot attack to test these credentials against another website – in this case www.levis.com.

 

“LS&Co was not the source of the compromised login credentials,” the company clarified.

 

Levi’s added that threat actors employed a successful credential stuffing attack to access customer accounts and exfiltrated sensitive personal information. The compromised data included victims’ names, email addresses, stored addresses, order histories, payment method, and partial card information including the last 4 digits of card numbers, card type and expiration dates.

 

Levi’s filing with the Maine state regulator revealed that at least 72,231 individuals were impacted by the data security incident.

 

The company said it found no evidence of any fraudulent purchases initiated using the compromised data as its systems do not allow saved payment methods to be used for purchases without a secondary means of authentication.

 

“We responded to the attack by promptly de-activating account credentials for all user accounts that were accessed during the relevant time period. We recently issued a forced password reset after detecting suspicious activity on our website,” Levi Strauss added.