A huge data breach of 70GB of data has been faced by the Bonobos clothing store which revealed the personal data of millions of customers. The data breach took place when an attacker/hacker somehow downloaded the cloud backup of the store’s database, however, the organization claims that their internal systems were never breached in the attack.
Bonobos was first launched in 2007 as an online men’s clothing retail shop, in 2012 it expanded to physical stores in sixty locations for trying on clothes before purchasing them, and later in 2017 Walmart bought Bonobos to sell its clothes on their website, Jet.com, for an amount of $300 million.
Recently, an infamous bad actor who is known for the trading of stolen data and breaching online platforms, known as the ShinyHunters, published the stolen Bonobos data on an open hacking discussion platform. The openly published data is part of a heavy 70GB SQL file that incorporated several tables which the Bonobos site utilized. The data of the SQL file also included some sensitive data, valuable for the attackers/hackers, like customer’s phone numbers, addresses, history of passwords, semi-visible credit card numbers, order details, etc.
As per the category of data, the amount of breached data differs. For instance, the leaked data includes account details of 1.8 million customers, semi-visible credit card information for 3.5 million customers, and phone numbers and addresses and phone numbers of 7 million customers. The attacker/hacker revealed that the passwords contained in the database utilize SHA-256 and SHA-512 for being hashed, and the attacker also claims that the passwords of 158,000 hashed with SHA-256 have been cracked but passwords hashed with SHA-512 are too difficult to be cracked. The cracked passwords have been turned into a combo list which is utilized for attacks like credential stuffing. Credential stuffing attacks involve utilizing the stolen credential to log in on other websites.
It is quite obvious that even though the complete details of payment cards haven’t been revealed, still the partially visible data can be utilized in phishing emails to gain the remaining data. Bonobos, in an email to BleepingComputer, claimed and explained that keeping customer information safe is their top priority and since they started investigating the event, they have discovered no traces of their internal systems being breached but they are sure that an attacker/hacker somehow gained access to their database file stored on a third-party cloud environment. They contacted the cloud host provider right after they got aware of the breach and discussed getting rid of the problem as soon as possible. Bonobos further explained the security measures they are initiating to secure the exposed accounts, such as invalidating passwords and requiring password resets and switching of points of access.
They are also notifying customers via emails explaining about the breach and the details exposed and that the payment details have not been compromised. These emails also contain password reset links. The emails being sent out to their customers states “We believe an unauthorized third party may have been able to view some of your account details, including your contact information and encrypted password. Your encrypted password was protected so your actual password was not visible. Payment card information was not affected by the issue. To protect the security of your account, we are resetting your password and have logged you out of your account. To log back in, you just need to set a new, unique password through the link below. Please do not use a password that you already use for other online or mobile services. We suggest using a unique password for each online or mobile account you have. If you get an email or text asking for an account number or password, don’t respond. Bonobos would never ask you to share your personal information in an email or text. If you have questions or detect any suspicious activity on your account, please contact us here.”
Bonobos users/customers are suggested to reset their passwords and if the exact same password has been utilized on any other websites, it is also recommended to be changed to a unique one. If a user uses a different password for every platform, the risks of being affected on different platforms, due to a data breach on one platform, falls down massively. Further users can utilize password managers to store passwords and Bonobos customers are highly recommended to stay alert and not fall prey to phishing emails.