Hackers used credential stuffing attacks to steal the personal data of 461,091 customers of Uniqlo Japan and GU Japan online shops from April 23 to May 10 this year. Fast Retailing, owner of Uniqlo and GU, said that the number of compromised accounts may rise still higher as the investigation into the data breach was still ongoing.
Sergiu Gatlan emphasizes the need for multi-factor authentication to thwart credential-stuffing hacks in this report from BleepingComputer:
On May 13, Fast Retailing disabled the account passwords of 461,091 UNIQLO Japan and GU Japan online shop customers and started sending emails to all affected individuals to reset their passwords.
Fast Retailing discovered the breach after multiple customers’ reports of weird account activity and blocked the attackers from accessing the company’s computing systems, while also “strengthening monitoring of other access points.” “Fast Retailing has also filed a report of damages regarding the unauthorized logins with the Tokyo Metropolitan Police,” states the data breach notification.
The company concludes the data breach notification [EN, JP] by asking all its customers to change their passwords especially if they’re also using them on other online platforms: Fast Retailing is therefore requesting everyone who uses the same user ID or password with other services, not just the customers who have been contacted individually, to change their passwords immediately. The company recognizes that protecting customer information is a matter of the highest priority, considering this incident extremely serious, and is strengthening monitoring of unauthorized access, as well as taking other steps to further ensure that customers are able to shop with safety.
[…]
Since the beginning of 2019, there have already been a handful of successful credential stuffing attacks which managed to infiltrate the computing systems of TurboTax, Dunkin’ Donuts, Basecamp, and Dailymotion. Cybercriminals behind credential stuffing campaigns have designed them to be completely automated, making use of large collections of stolen credentials bought from underground markets to be able to take over customer accounts.
These attacks take advantage of both the fact that online platforms’ users will reuse their passwords on multiple websites/services and that only a small percentage of them will enable two-factor authentication (2FA) or multi-factor authentication (MFA) to protect their accounts.
