Clothing retailer J.Crew has revealed that an undetermined number of its customers’ online accounts were accessed by an “unauthorized party”, nearly a year after the incident occurred.
In a filing with the California attorney general on Tuesday, the clothing company disclosed that the hacker gained access to customer accounts sometime in April 2019. Information the hacker potentially obtained included payment card types, the last four digits of card payment numbers, expiration dates, and associated billing addresses. The online accounts also store other information, such as store customer order numbers, shipping confirmation numbers, and shipment statuses.
A spokesperson confirmed with TechCrunch that the hacker utilized a technique called “credential stuffing,” wherein the cyber attacker would use stolen username and password data from another previous breach to match against other websites. This approach to breaching online accounts can severely affect those users who use the same usernames and passwords across different websites and online services.
The J.Crew representative also said that only a “small number” of customers were affected, but declined to specify an exact number. The spokesperson additionally stated that “routine web scanning” detected the breach, and that customers were “promptly notified” of the incident.
TechCrunch reported that companies operating in California are mandated by law to report to the state attorney general any security incidents that involve more than 500 local customers. J.Crew’s letter to the attorney general indicated that it was a “multi-state” notification, which means that customers in other states were also affected.