Have I Been Pwned (HIBP) has alerted nearly 57 million customers of Hot Topic, Box Lunch, and Torrid about a data breach that exposed sensitive personal information.
This breach impacts a wide range of customer data, including full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card information.
The breach was first announced on BreachForums by a threat actor named “Satanic” on October 21, 2024, who claimed to have stolen 350 million records from Hot Topic and related brands. The actor initially priced the database at $20,000 while demanding a $100,000 ransom from Hot Topic to remove the data from the forums.
In response to the breach, data analytics firm Atlas Privacy analyzed the 730GB dataset, estimating that it affects around 54 million unique customers. Atlas noted that the database includes 25 million credit card numbers encrypted with a weak cipher, making them vulnerable to modern decryption methods. Atlas also pointed out that almost half of the email addresses were new to previous data leaks, suggesting the breach is legitimate.
While Hot Topic has not confirmed the breach nor informed affected customers, analysts speculate the attack may have originated from an information-stealing malware infection that compromised credentials used by Hot Topic’s data management services.
The alleged breach data spans from 2011 to October 19, 2024. Customers of Hot Topic, Box Lunch, and Torrid are advised to stay vigilant for potential phishing attacks, monitor financial accounts for unusual activity, and update passwords for any overlapping accounts.
Atlas has set up a website where Hot Topic customers can check if their email or phone number was exposed in this breach. Despite repeated requests, Hot Topic has yet to provide an official response.
