‘Credential stuffing’ attack hits J. Crew

A common hacking technique has exposed personal information of some J. Crew customers.

According to a letter from the J. Crew customer care center which has been posted online by the California Attorney General’s office, an “unauthorized party” is believed to have used stolen user emails and passwords to fraudulently log into their J. Crew accounts in April 2019. Information leaked in the hack includes the last four digits of credit card numbers stored in compromised accounts, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders. 

J. Crew does not believe any other information was exposed. The retailer says it discovered the breach through “routine and proactive Web scanning.”

According to Ameet Naik, security evangelist at Web security provider PerimeterX, a popular method of intrusion known as “credential stuffing” was behind this attack.

“The hackers in this case were after credit card numbers,” said Naik. “They used credential stuffing, also known as account takeover (ATO) attacks, to gain access to J. Crew’s servers and siphon off this valuable bounty directly from their databases. Hackers typically use automated bots to rapidly try thousands of stolen usernames and passwords until they hit the jackpot.”

To protect against credential stuffing attacks, Naik advises retailers to develop bot mitigation capabilities and consumers to use different passwords on different sites and lock down their credit records as much as possible.

J. Crew has disabled affected accounts and will require that customers whose data was exposed in the breach contact its customer care center to review their account and reset their password. J. Crew also recommends customers change their password on any other account where they use the same password discovered in this incident.