Pet retail giant PetSmart notifies customers of a rise in credential-stuffing attacks

American pet retail giant PetSmart has warned its customers of a possible credential stuffing attack that has forced it to reset all customer passwords.

 

PetSmart is among the largest American pet retail chains, selling pet products to more than 60 million pet parents through more than 1,600 stores nationwide.

 

In an email notification sent to customers, the company said that its security tools recently identified a rise in password-guessing attacks on its official website, PetSmart[.]com.

 

 

“In an abundance of caution to protect you and your account, we have inactivated your password. The next time you visit petsmart[.]com, simply click the "forgot password" link to reset your password,” reads the email. PetSmart added that neither the website nor any of its systems have been compromised. 

 

A credential stuffing attack involves cyber criminals collecting login usernames and passwords from previously compromised accounts and use those credentials to try to log in to other sites. 

 

“Across the internet, fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites, like ours. To help keep your accounts secure, remember to use strong passwords, change your passwords at least a few times a year, and use different passwords for each of your important account,” PetSmart added.

 

In 2022, Neopets, a highly popular virtual pet website, said it suffered a major data breach incident that compromised customer data. As soon as the company identified the breach, it involved external cyber security experts to assist with the investigation and notified law enforcement authorities.

 

A hacker using the pseudonym ‘TarTarX’ quickly claimed responsibility for the breach and started advertising the compromised database and source code of Neopets for sale with a price of four Bitcoins, worth approximately £76,139.

 

The hacker claimed that they stole the database and approximately 460MB (compressed) of source code from the neopets.com website. TarTarX also claimed that the stolen database contained sensitive personal information of more than 69 million members. 

 

The compromised information included names, dates of birth, email addresses, postcodes, members’ usernames, gender, country, an initial registration email, and other site and game-related information.