J.Crew suffered a credential stuffing attack that may have compromised
the personal data of customers, the U.S. clothing retailer disclosed earlier
this week. Fraudulent activity was apparently noticed last spring, but the firm
did not reveal the number of compromised accounts on their website.
In a data breach notice sent to shoppers, the company states
that “through routine and proactive web scanning, we recently discovered
information related to your jcrew.com account. Based on our review, we believe
your email address (used as your jcrew.com username) and password were obtained
by an unauthorized party and in or around April 2019 used to log into your
It’s unclear why it took the company almost a year to notify
users, but studies show it takes an average of 197 days to
identify a data breach. Although the number of victims was not revealed, California
law obliges companies to send out security breach notices only if the incident
affected more than 500 residents. It’s is safe to assume the number of victims
falls above that, potentially by an order of magnitude.
On top of the compromised email addresses and passwords, the
threat actor could have accessed additional information stored on the account,
including the last four digits of credit card numbers, expiration dates, card
types, billing addresses, order number and shipping confirmation numbers, along
with order status. In attempt to minimize the damages, the company disabled the
accounts marked with suspicious activity, and asked users to reset their login
Data breaches and data leaks often take a long time to discover.
Don’t rely solely on corporate notification emails – a company can’t notify you
of a data breach or security incident unless they know about it. As
with any such leak incident, you should start changing the password for all of
your accounts, and by no means should you recycle any old passwords just
because it’s easier for you to memorize. Should you find it difficult, you can
always use a passwords manager. Don’t forget to keep
your security solution up to date and monitor all your online accounts for
suspicious activity. It’s always a good idea to enable 2FA (two-factor
authentication) for all of your e-commerce and social media websites. If somebody
tries to access your account, you’ll be notified of any questionable activity so
you can take immediate action.