Incident Of The Week: Uniqlo Suffers Credential Stuffing Cyber Attack

The sooner we can get away from passwords, the better. Failing that, shaming people that use the same details again and again…:

Fast Retailing is the company behind multiple Japanese retail brands including Uniqlo, which it confirmed in an official statement, is the latest victim to a credential stuffing attack. The company said that from April 23 to May 10, 2019, there was fraudulent login to 461,091 accounts [so far as it is still under investigation].

See Related: “Dunkin’ Donuts Reports Credential Stuffing Attack

According to the statement, “We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”

Attack Details Known So Far

The number of customer accounts for which unauthorized login has been confirmed: UNIQLO official online store-Gyu registered 461,091 items.

The personal information of customers who may have been browsed:

  • Customer’s name (first name, last name, phonetic)
  • Customer’s address (zip code, city, county, street address, room number)
  • Phone number, mobile phone number, e-mail address, gender, date of birth, purchase history, name and size registered in My Size
  • Shipping name (first name, last name, address), phone number
  • Part of credit card information (card holder, expiration date, part of credit card number). Credit card numbers are hidden except for the first four digits and the last four digits. CVV numbers (credit card security codes) are not displayed or stored, so there is no possibility of leakage.

Once the company identified the communication origin where unauthorized login was attempted, it blocked access, and strengthened monitoring on other accesses. For the 461,091 user IDs where personal information may have been viewed, the password has been invalidated on May 13, and e-mails were sent asking customers to reset passwords. In addition, the case was reported to the Tokyo Metropolitan Police Department.

[…]

Fast Retailing urges its customers using its online store site to cooperate by:

  1. Setting a password different from other company’s services.
  2. Do not use passwords that third parties can easily guess.

[…]

Original article here