Massive data breach exposes 56 million Hot Topic customers

In a significant data breach that has put the personal information of millions at risk, the personal details of 56,904,909 users from US-based retail chain Hot Topic, operating more than 640 stores, have been leaked online.

The compromised data includes sensitive information such as email addresses, physical addresses, phone numbers, purchase history, gender, and dates of birth. Partial credit card data was also exposed, raising further concerns about financial security for affected customers.

The breach, initially reported by cybersecurity firm Hudson Rock last month, has now been corroborated by Have I Been Pwned (HIBP), a prominent breach notification service. HIBP confirmed that it alerted over 56 million customers about the breach earlier this week. Although Hot Topic has yet to confirm the incident publicly, HIBP attributes the breach to an attack on October 19, allegedly carried out by a threat actor using the alias “Satanic.”

The hacker has claimed responsibility for stealing data collected through Hot Topic’s loyalty program and alleges the database contains information on 350 million users, although this figure appears to be exaggerated. The actor reportedly demands $100,000 from Hot Topic to prevent the database from being sold and offers it on underground forums for $20,000.

Hudson Rock has traced the breach back to a malware infection on a computer at Robling, a third-party retail analytics firm working with Hot Topic. The infection reportedly allowed the hacker to steal credentials and potentially infiltrate Hot Topic’s cloud systems. Hudson Rock’s cyber intelligence platform, Cavalier, flagged the compromised device, underscoring the growing risk of third-party vulnerabilities in retail ecosystems.

Despite mounting evidence, Hot Topic has not issued a statement or informed affected customers. This lack of communication has raised concerns about the company’s handling of the incident, with some speculating that it is still assessing the extent of the breach.