The site Have I Been Pwned reports that a data breach has exposed the personal information of 56,904,909 accounts belonging to customers of Hot Topic, Torrid, and Box Lunch. Linked to a hacker known as “Satanic,” the breach impacted approximately 54 million email addresses and lightly encrypted credit card information for 25 million users according to Atlas Privacy.
Who Is the Threat Actor “Satanic”?
The hacker or group known as gained notoriety in late 2024 after taking responsibility for the Hot Topic data breach. However, there is no extensive history or prior record of Satanic being linked to other major attacks before this incident.
Hot Topic Breach: Alleged Attack Vector and Tactics
According to the security firm Hudson Rock, The Hot Topic breach allegedly stemmed from a vulnerability in a cloud-based data management platform, Snowflake, used by the company for storing and analyzing large amounts of customer data.
Here’s how the attack is alleged to have unfolded:
- Malware Infection and Initial Access: The breach likely began with a malware infection on the device of an employee at Robling, a retail analytics company affiliated with Hot Topic. The malware, identified as an infostealer, was designed to extract sensitive information, including login credentials and other authentication details. Infostealers are particularly dangerous because they can capture keystrokes, session cookies, and stored passwords from infected systems, and this is not just a problem for PCs. As Senior Forbes Contributor Davey Winder explains, infostealers are an Apple problem too. The Robling employee’s malware infection allegedly provided Satanic with around 240 credentials, allowing the hacker access to Hot Topic’s Snowflake platform and critical customer data.
- Exploiting MFA Gaps: With the stolen credentials from the infostealer, Satanic allegedly gained access to Hot Topic’s Snowflake account, taking advantage of the absence of multi-factor authentication. MFA provides an additional layer of security by requiring users to verify their identity through a code sent to a separate device or app, but without it, Satanic was able to log in using the compromised credentials without further checks. This critical security gap allowed the hacker to access Snowflake’s systems with relative ease.
- Cloud Storage Vulnerabilities: Once inside Snowflake, Satanic reportedly leveraged the platform’s interconnected data structure to navigate through different datasets, gathering sensitive information as they went. While Snowflake offers powerful data management capabilities, like almost any application, it can be vulnerable if permissions are not strictly configured. Misconfigured access settings or overly permissive accounts in cloud systems allow attackers like Satanic to move laterally within a company’s data environment, escalating the impact of a single breach and increasing the scope of compromised data.
- Data Exfiltration and Double Extortion: Having accessed Hot Topic’s sensitive data, including names, addresses, email addresses, and credit card details, Satanic then engaged in a tactic known as “double extortion.” This method involves both encrypting and exfiltrating data, then pressuring the victim by threatening to release the stolen data publicly if ransom demands are not met. Satanic uploaded samples of Hot Topic’s stolen data to dark web forums as proof of possession, a common tactic to validate the breach and intensify ransom demands.
Hot Topic’s Response To The Data Breach
As of now, It does not appear that Hot Topic has notified state offices of attorneys general or their customers about the data breach. As of this publication, media organizations like TechCrunch and BleepingComputer are yet to obtain a response.
I have contacted Hot Topic for comment. This article will be updated when they respond.
Read the full article here