Japanese global clothing outlet Uniqlo, owned by Fast Retailing Co. Ltd., has been hacked, with the details of 460,000 online customers stolen.

The hack, which also saw data stolen from GU, another brand owned by Fast Retailing, involved the theft of customer data that included full name, physical and email address, phone number, gender, birth date, purchase history and partial credit card numbers. The credit card data only included the first and last four digits of customer credit cards and not their CVV numbers or expiration dates.

Details of how the hack, which came to light Tuesday, took place are officially vague. Fast Retailing said only that it took place between April 23 and May 10 and that it was taking measures to block unauthorized access to accounts and invalidate affected customer passwords.

Some reports suggested that Uniqlo was hacked using credential stuffing, a type of cyberattack in which stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts. Customers with data stolen are being asked to reset their passwords, according to The Japan Times.

Chris Kennedy, chief information security officer and vice president of customer success at automated validation platform AttackIQ Inc., told SiliconANGLE that it’s alarming that the hacker moved through the company’s network to pilfer the data of approximately 460,000 users before being discovered. “This leaves the questions of whether Uniqlo had controls in place to prevent this data from being stolen, if the company has ever tested those controls, or if Uniqlo was exclusively relying on users with user access to not engage in malicious activity,” he said.

Kevin Gosschalk, chief executive officer of security firm Arkose Labs Inc., noted that the Uniqlo breach shines a light on the seriousness of hackers carrying out automated attacks at scale.

“After nearly half a million accounts have been compromised, Uniqlo is urging users to not only reset their passwords but to create a unique password for their accounts to reduce the chances of being hacked,” Gosschalk said. “Although that is a good immediate first step, companies can’t guarantee users will comply and they could still be at risk. Companies need to actively monitor and protect their attack surface.”

Ben Goodman, vice president of global strategy and innovation at identity and access management software firm ForgeRock Inc., warned that credential-stuffing attacks represent a seemingly infinite cycle of hackers using previously stolen personally identifiable information to obtain unauthorized access to additional user accounts. But he said there’s a way to halt that cycle.

“Implementing solutions such as multifactor authentication and identity-proofing tools to verify user identities will greatly hinder the success of future credential stuffing attacks,” he said.

Photo: shinyasuzuki/Flickr