PetSmart reportedly responds to ongoing cyberattack
PetSmart is reportedly taking steps to counteract a current effort to steal customer information.
According to a recent posting on the X social platform from the verified "Dark Web Informer" account, the pet supplies and services retailer’s data security team sent customers registered with its e-commerce site an email notifying them of what appears to be an effort to illegally obtain their password information.
"We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised," PetSmart said in the email text posted on X. "Instead, our security tools saw an increase in password guessing attacks on petsmart.com and during this time your account was logged into. While the log in may have been valid, we wanted you to know."
The email goes on to say that PetSmart has inactivated user passwords on their PetSmart accounts "in an abundance of caution," and that customers can reset their accounts on the PetSmart site.
It also warns customers that "fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites," and closes with a recommendation that customers use strong passwords for each of their important accounts.
According to data from Visa, the first half of 2023 saw a 40% increase in enumeration attacks, or “brute force” attacks where cybercriminals submit large amounts of user name-passwords.
In an email to Chain Store Age, Darren James, senior product manager at Specops Software, an Outpost24 company, said that credential stuffing attacks like the one PetSmart is reportedly experiencing exploit the common occurrence of “password fatigue” among consumers.
"We all have so many passwords to remember for both work and personal use that we tend to re-use the same passwords across multiple systems," said James. "Once one of the systems is breached and the password exposed, it then opens up potentially many other systems that users use leading to account takeover, and potentially financial or reputational loss. Even if no data is stolen from such attacks, it is still useful information for the threat actors that this user is prone to re-using passwords and could trigger further incursion attempts. It’s vital that organizations continuously scan their users’ passwords against regularly updated breached password databases and not just scan them as and when they are changed or reset."