What You Need to Know about the Hot Topic Data Breach
Table of Contents
- Published: Nov 28, 2024
Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees. Founded in 1989, the company employs over 10,000 associates and has over 600 stores in shopping malls all over the United States. Its headquarters is located in the City of Industry, California, and largely serves customers in the United States. Being a retailer with a large customer base in the U.S., there is no doubt the company must have been a target for data breaches many times.
In November 2024, Have I Been Pwned (HIBP), a breach notification site, alleged that Hot Topic suffered a data breach in October 2024 that exposed over 56 million customers' accounts with the company and its related brands, Torrid and Box Lunch. Affected data was said to include customers’ full names, email addresses, phone numbers, physical addresses, dates of birth, purchases, genders, and partial credit card (payment card) data for Hot Topic.
At first, “Satanic,”a threat actor, claimed responsibility for the Hot Topic data breach on BreachForums, a popular hacker forum, and reportedly put the dataset on sale for $20,000. It later lowered the price to $4,000 and demanded a $100,000 ransom from the company to take down the listing from hacker forums. The alleged data breach puts affected consumers at risk of financial fraud, identity fraud, and targeted social engineering attacks.
According to a Notice of Data Breach letter issued out of an abundance of caution, Hot Topic confirmed there was a data security incident that may have involved customers’ personal information. However, it said there was no proof that such information was accessed by any unauthorized party or compromised during the incident.
When Was the Hot Topic Data Breach?
In the Notice of Data Breach letter issued by Hot Topic after the alleged data security incident, the company confirmed identifying suspicious login activity to some of its customer’s Rewards accounts. It was determined that certain unauthorized parties launched automated attacks on Hot Topic’s mobile application and website on the following dates:
- February 7, 2023
- March 11, 2023
- May 19-21 2023
- May 27-28, 20233
- June 18-21, 2023
According to the company, these attacks were made using valid account credentials sourced from an unknown third party. Some sources say the alleged Hot Topic data breach appears to have happened in October 2024 and that the data affected spans from 2011 to date. However, the company has said it is not able to determine which, if any, customers’ Rewards accounts were accessed by unauthorized bad actors as opposed to authorized customer sign-ins during those periods of suspicious login activity.
How to Check If Your Data Was Breached
Based on its investigations up till early November 2024, Hot Topic has yet to confirm if any customers’ accounts were affected in the alleged data breach. However, the company warns that if the login to a customer’s Rewards account during the period of observed suspicious login activity was not authorized, the customer’s sensitive data may have been accessed by unauthorized parties.
Generally, you may have to check your Hot Topic Rewards account for unusual activity to determine if your information was exposed in the alleged data security incident. Also, if you saved details of a payment card to the account, the last four digits of the card number would have been compromised. Hence, any unusual charges on that card may indicate that your data was breached in the alleged incident.
Furthermore, if you have been receiving a high volume of spam emails with malicious attachments and suspicious links or unusual messages on your phone, your email address and phone number may have been breached in the alleged Hot Topic data security incident. In addition, make sure to review your bank accounts and credit reports for unusual charges that may suggest your data has been compromised.
What to Do If Your Data Was Breached
Even though Hot Topic has yet to make any official announcement confirming there was a data breach, as alleged, it is important to take precautions. If you believe your sensitive information may have been leaked in the alleged data security incident, you should reset your Rewards account login credentials immediately and choose a strong password. Similarly, you should contact your card company to mark your payment card invalid if saved on your Hot Topic Rewards account.
Another thing you should do if you suspect your information was compromised in the alleged Hot Topic data breach is change your email credentials, particularly your password. In addition, resetting your credentials across your other online profiles, including mobile apps, is recommended. To be on the safe side, you may also ask the three major credit reporting agencies in the United States to put a security freeze on your credit reports. Once this is in place, no credit reporting agency will disclose any data on your credit report without obtaining your approval.
Furthermore, it is important to monitor your financial accounts closely for unusual activity on your credit cards and bank accounts. Also, watch out for phishing attacks and avoid sharing sensitive information in response to unsolicited messages, even if they appear to emanate from known contacts.
Are There Any Lawsuits Because of the Data Breach?
Yes. Following allegations by “Satanic,” of selling Hot Topic’s customers’ personal data on the dark web, the company was sued via a class action complaint in California Federal Court on October 25, 2024. The class action, marked Case 2:24-cv-09215, was filed by Allison Barber, on behalf of herself and others similarly situated against Hot Topic, INC. d/b/a Hot Topic and Boxlunch, Torrid, LLC.
In the class action, the plaintiffs alleged Hot Topic’s negligent conduct and failure to properly secure and protect the sensitive data of their consumers and loyalty account (Rewards account) members. As a result of the alleged data security incident, the plaintiff and class members in the action claim they suffered injuries such as the following:
- Theft of their personally identifying information (PII)
- Invasion of privacy
- Diminished or lost value of PII
- Lost opportunity and costs associated with efforts to mitigate the consequences of the data breach
- The continued and increased risk to their PII, which remains unencrypted and available for use by unauthorized third parties
- Nominal damages
As a result, the plaintiff and class members believe they have been exposed to a heightened and imminent risk of identity theft and fraud. Hence, they demand for a jury trial on all claims triable. Generally, they seek remedy to the harms and injuries suffered during the alleged data breach.
Can My Hot Topic Information Be Used for Identity Theft?
Yes. If the alleged Hot Topic data breach turns out to be true and your sensitive data, including personally identifying information, were compromised, you could be targeted for identity theft. Typically, if a scammer has your full name, phone number, physical address, and some other personally identifying information, they may steal your identity, impersonate you, and break into your financial accounts. In some instances, they may even apply for government benefits and take out credit in your name.
What Can You Do to Protect Yourself Online?
Despite Hot Topic’s commitment to safeguarding its customers’ data, the company confirmed observing multiple suspicious login activity on its consumers’ Rewards accounts in 2023. This buttresses the need to do everything possible within your power to protect your data online, particularly in this digital age when people have information littered everywhere on the web.
The following tips will help you safeguard yourself and your data online:
- Always use strong passwords (not easy to guess) for your online accounts. This is particularly advised for email accounts and the password should be separate from other online accounts. In addition, avoid using the same password across various online profiles.
- Be in tune with the latest security updates for your devices and apply them promptly as soon as they are deployed to keep your computers and phones up to date. Typically, most updates come with improvements and protection from all kinds of malware. Turning on automatic updates in your devices’ settings will always remind you whenever there are new updates.
- Enable two-factor authentication (2FA) on your online accounts (where available) to protect them from cybercriminals’ access. Typically, 2FA provides a secondary layer of security in such a way that even when your password is compromised, cybercriminals can still be kept out of your accounts.
- You can enroll in a credit monitoring service to help keep you abreast of any changes in your credit file. In addition, ensure to review your financial accounts and credit reports regularly for any unusual charges and suspicious activity.
- Learn to keep personal information personal and avoid sharing pointers to such information on social media profiles. Sometimes, cybercriminals may attempt to figure out your passwords using some of the information on your social media profiles, including your sibling’s names, mother’s maiden name, children’s names, and date of birth.
- Stay abreast of cybercriminals’ tactics by educating yourself on cybersecurity and data security using sites like IDStrong.
- When shopping online, confirm that the website uses secure technology. Any website using secure technology will begin with https.
- Avoid entering your passwords over unsecured networks, particularly over public Wi-Fi networks.
